Comment by throwaway67564

I work at a company that's been in talks with Equifax, Experian and a new player (Blend) to provide employment and income verification data. Selling employee data and then spinning it as anything other than a short-term money grab is one of my least favorite things about my current employer.

That said, those who are worried about Equifax should probably rather be more worried about Experian. In our experience Experian is a) bidding more aggressively and b) has worse security practices. On the other hand, the Equifax talks I've been involved in demonstrate some of the changes Equifax has made to reduce risk of leaking sensitive data.

Equifax won't store any PII in our case. We store the data and provide them with an index file that is both encrypted and only contains internal identifiers and a hashed SSN (shared RSA key). Even if an attacker got their hands on all 3 things (decryption key, file and shared RSA hash key), they'd still only be able to know which SSNs are in our data-set, and nothing about those people. Everything else goes through our API, so the flow goes something like:

1. Equifax checks their hash file to see if we have their ssn 2. If so, Equifax authenticates against our API using their client id and secret and then makes their request for the employment/income information.

There are different calls they can make based on how much data they actually need to fulfill whatever the request is (e.g. if you're trying to verify employment you don't need the income data).

This is in contrast to Experian, who as a first step wanted a plaintext flat file containing a full dump of employment and income information for the last 7 years of everybody in our system...