Equifax Inc.’s interim chief executive publicly apologized for the credit reporting company’s poor response to concerns about a massive data breach, and — facing ongoing public pressure — he offered some additional remedies to consumers.
“I want to express my sincere and total apology,” Paulino do Rego Barros Jr., who was named interim CEO after Richard Smith abruptly stepped down as chief executive Tuesday, wrote in an op-ed published Wednesday in the Wall Street Journal.
After being hacked, Equifax “compounded the problem with insufficient support for consumers,” Do Rego Barros acknowledged.
“Our website did not function as it should have, and our call center couldn’t manage the volume of calls we received,” Do Rego Barros wrote. “We will make this site right or we will build another one from scratch. … The same goes for the call centers.”
Do Rego Barros announced that by Jan. 31, Equifax would offer a new service allowing people the option of locking and unlocking access to their Equifax credit files at will. The service would be offered free of charge for life, he said.
Equifax also extended until Jan. 31 the sign-up period for free credit freezes and for TrustedID Premier, a credit monitoring service it is offering free of charge to U.S. consumers.
Credit freezes and locks are similar — both limit access to a person’s credit report. But a freeze is a bit more formal in that people are assigned a PIN they use to verify their identity when they want to lift the freeze, said Greg McBride, chief financial analyst for Bankrate.com.
Equifax also said freezes, which were created in the early 2000s, are subject to regulation by each state.
The more modern credit locks use usernames, passwords and one-time passcodes to authenticate a person’s identity, Equifax said.
On Sept. 15, a dozen Democratic senators — including Elizabeth Warren of Massachusetts — introduced a bill that would require Equifax and the nation’s two other major credit reporting firms to allow people to freeze and unfreeze their credit file free of charge indefinitely, among other requirements.
McBride said Equifax’s new voluntary offerings have “everything to do” with this legislation, as well as with the Consumer Financial Protection Bureau’s scrutiny of the three credit reporting firms.
In an interview with CNBC on Wednesday, Consumer Financial Protection Bureau director Richard Cordray said that regulators would be embedded at Equifax and the other two credit reporting firms — TransUnion and Experian — and that it was “not enough to have enforcement come after the fact.”
Equifax revealed the data breach Sept. 7, several weeks after the hacking was discovered in late July. The breach exposed Social Security numbers, birthdates and other private data for as many as 143 million people.
The delay in notifying the public about the breach, and Equifax’s bungled handling of potential fixes for consumers who used its website or call center, led to harsh criticism from consumers and lawmakers and prompted several investigations by state and federal authorities.
The company’s stock price has tumbled as it scrambled to control the damage, including backtracking on initially making consumers give up their right to sue if they wanted free credit monitoring and identity theft protection.
Adding to Equifax’s troubles was the revelation that three executives sold thousands of shares of company stock in the days after the breach was discovered in July — long before the public was informed and the stock price nosedived. Equifax has said the executives were unaware of the breach when they sold the shares.
U.S. House and Senate committees are scheduled to hold hearings next week on the breach and Equifax’s reaction to it. Warren, a member of the Senate Banking Committee, said she wants both Smith and Do Rego Barros, among others, to testify about what happened.
Numerous civil suits have been filed over the breach, including by San Francisco and Massachusetts. Chicago filed suit Thursday, alleging Equifax violated the city’s consumer fraud ordinance and state laws by doing a poor job of protecting sensitive data and by waiting too long to alert the public.