Stock prices fell nearly 14 percent for the Atlanta-based credit monitoring agency Equifax on Friday.
That's after its CEO Richard Smith announced a cyberattack may have exposed social security numbers and personal information of more than 143 million people in the United States – nearly 40 percent of Americans.
Outside Equifax headquarters in midtown, Atlanta resident Fred Longobardi put his hands on his head to show how he felt when he heard the news Thursday night.
"Oh no,” Longobardi said. “They store all the information for everybody so I was very worried about it."
Longobardi said he's waiting to receive a letter to figure out what to do now.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” CEO Richard F. Smith said.
Smith wrote in its statement that Equifax expects to complete its investigation in the next few weeks.
Equifax is offering everyone in the United States free credit monitoring services. The company says it has removed language about waiving rights to take legal action when people sign up for the services.
The company also has a website where you can check whether or not you have been the victim of a data breach.
Humayun Zafar is an associate professor of information security and director of the mobile app development lab at Kennesaw State University.
“On any other day, Equifax, would probably be a major headline,” Zafar said. “In a very unfortunate way, they seem to have lucked out. You've got Hurricane Irma coming in, we've got people recovering from Hurricane Harvey in Texas."
Zafar said he noticed a flaw in the design of a site for consumers to check if they were impacted.
Equifax set up a call center line to respond to questions about the incident. The line was busy most of Friday morning and through the evening.
Equifax also encouraged customers to enter their last name and the last six digits of their social security number on an incident website to see if they were potentially impacted.
Zafar said he tested out the site with random sequences of six digits and last names several times and received different messages.
“Obviously there’s something going on with that site. It’s not verifying anything. The odds of you getting right six digits, it’s actually very hard,” Zafar said. “It’s a mathematical improbability. It’s probably on the back end it may not be connecting with the actual database or maybe on the backend it only has a listing of folks who have been impacted. It’s hard to know what the backend of the website is. I do think there’s an actual flaw of some sort.”
Equifax did not respond to requests for an interview.
Attorney Roy Hadley represents clients who have been victims of data breaches. Hadley is co-chair of the privacy and cybersecurity practice at Thompson Hine and chair of the information security society for the Technology Association of Georgia.
He said if there's one company you should be able to trust, it's a credit reporting agency.
"Equifax sells services to keep your credit and your personal information secure and so it's significant that they can't keep their own information secure," Hadley said.
He said he expects it will likely take a while for the company to recover from the damage to its finances and its brand, but over time, companies do recover.
Former Georgia Gov. Roy Barnes filed a class action suit in federal court in Atlanta on Thursday. The lawsuit said the agency failed to safeguard consumer information and didn’t provide timely notice of the breach, which occurred as early as May of 2017.
Attorney Roy Hadley said the company took an unusually long time to notify the public of such a major breach, possibly because it was asked to delay notice by law enforcement officials investigating the incident. He said another reason could be it didn't know.
"It used to be back in the old days of hacking, hackers would get in, deface your website, put a little smiley gremlin face on it,” Hadley said. “Now it's much more nefarious. Hackers want to get in, stay undetected as long as they can."
Equifax has more than 2,000 employees in Atlanta.
“We’re beginning to see and research shows this as well when events like these happen, it’s almost like people have become desensitized to it,” Zafar said. “In the short-term, there is an impact, for this quarter there will be costs associated with it, but in the long-term I doubt there’s going to be no impact as long as companies make the information public.”
Zafar said this has a major impact on the public, especially those who are applying for jobs, mortgages, in addition to potential cases of identity theft.
"This is major. Because it's a credit reporting agency,” Zafar said. “Your credit worthiness is associated with records Equifax obviously keeps and it is an Atlanta-based company so it's not quite a great thing for the city of Atlanta."
Update: Equifax responded with a statement on September 11 saying it has removed language about waiving rights to take legal action when people sign up for credit monitoring services.