The Equifax credit reporting agency, with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans’ personal information ever created, containing 190 million employment and salary records covering more than one-third of U.S. adults.
Some of the information in the little-known database, created through an Equifax-owned company called The Work Number, is sold to debt collectors, financial service companies and other entities.
“It’s the biggest privacy breach in our time, and it’s legal and no one knows it’s going on,” said Robert Mather, who runs a small employment background company named Pre-Employ.com. “It’s like a secret CIA.”
How does Equifax obtain this sensitive and secret information? With the willing aid of thousands of U.S. businesses, including many of the Fortune 500. Government agencies -- representing 85 percent of the federal civilian population, including workers at the Department of Defense, according to Equifax -- and schools also work with The Work Number. Many of them let Equifax tap directly into their data so the credit bureau can always have the latest employment information. In fact, these organizations actually pay Equifax for the privilege of giving away their employees' personal information.
Equifax turns around and sells some of this data to third parties, including debt collectors and other financial services companies.
Comment by Senior Analyst at InfoWatch Nikolai Fedotov: "According to the criminals` point of view this database has a questionable value. The crooks would not refuse to leak it for free (if they would have an opportunity) but they’d hardly agree to pay for it some inadequate price.
At the same time this database may be used as a source of information for tracking credit histories and evaluating the lending risks. It has both obvious benefit and non-obvious risks.
In my opinion it is not the reason to panic. But considering the big size of the database it makes sense carefully evaluate the risks and test data protection policies”.