Incident: Equifax Credit Score Coding Issue Impacting Loan Applicants.

Published Date: 2022-08-02

Postmortem Analysis
Timeline 1. The software failure incident involving Equifax sending incorrect credit scores for millions of consumers occurred between March and April [Article 130993, Article 131036]. 2. Published on 2022-08-03 [Article 130993]. 3. The incident occurred between March and April 2022.
System 1. Equifax's servers - A "coding issue" occurred when making a change to one of Equifax's servers, leading to the potential miscalculation of credit scores [130993]. 2. Equifax's credit scoring system - Equifax provided incorrect credit scores for millions of consumers due to a 'coding issue' that affected the accuracy of credit reports [131036].
Responsible Organization 1. Equifax - Equifax caused the software failure incident by sending incorrect credit scores to millions of consumers due to a coding issue on one of their servers [130993, 131036].
Impacted Organization 1. Millions of consumers seeking loans, including auto loans, mortgages, and credit cards [130993, 131036] 2. Lenders who relied on Equifax's credit scores to make decisions on loan approvals and interest rates [130993, 131036]
Software Causes 1. The software failure incident at Equifax was caused by a "coding issue" when making a change to one of Equifax’s servers, resulting in the potential miscalculation of credit scores [130993]. 2. Equifax attributed the incorrect credit scores provided to millions of Americans seeking loans to a 'coding issue' that led to a glitch affecting scores for consumers applying for auto loans, mortgages, and credit cards [131036].
Non-software Causes 1. Inadequate coding change process leading to a coding issue on Equifax's servers [130993, 131036] 2. Lack of proper quality control measures to catch the credit score errors before impacting consumers [130993, 131036] 3. Insufficient oversight and governance in the technology transformation process, as indicated by the CEO's $25 million retention bonus package [130993]
Impacts 1. Incorrect credit scores were sent to millions of consumers seeking loans, with differentials of at least 25 points for around 300,000 consumers, potentially leading to wrongful denials of credit [130993]. 2. Some consumers may have been issued loans at a higher rate or denied a loan outright due to the incorrect credit scores [130993]. 3. The glitch caused fluctuations in credit scores for applicants seeking auto loans, mortgages, and credit cards, affecting the interest rates available to them and leading to rejections from loan applications [131036]. 4. The software failure impacted millions of Americans, with as many as 18% of applicants during the glitch period having their credit scores affected by up to 8 points [131036]. 5. Even small changes in credit scores, such as a 25-point drop, could result in consumers missing out on the best interest rates available and being placed in different credit score categories [131036].
Preventions 1. Implement thorough testing procedures: Equifax could have prevented the software failure incident by conducting comprehensive testing of the code changes before deploying them to production to catch any potential issues before they impact consumers [130993, 131036]. 2. Implement proper change management processes: Equifax should have had robust change management processes in place to ensure that any modifications to their servers or systems are carefully reviewed, tested, and monitored to prevent unintended consequences like incorrect credit scores [130993]. 3. Enhance monitoring and alerting systems: Equifax could have implemented better monitoring and alerting systems to quickly detect anomalies or discrepancies in credit scores, allowing them to address issues promptly before they affect a large number of consumers [130993, 131036]. 4. Improve communication and transparency: Equifax should have communicated proactively with affected consumers about the issue, how to check if their credit scores were impacted, and what recourse they have if they were affected. Transparency and clear communication can help mitigate the fallout from such incidents [130993, 131036]. 5. Invest in cybersecurity measures: Given Equifax's history of data breaches, investing in robust cybersecurity measures to protect consumer data and prevent unauthorized access to their systems could have also helped prevent this software failure incident [131036].
Fixes 1. Implement thorough testing procedures before deploying any changes to servers to catch coding issues that could lead to errors in credit score calculations [130993, 131036]. 2. Develop a system for quickly identifying and rectifying errors in credit score calculations to prevent incorrect scores from being sent to consumers [130993, 131036]. 3. Provide clear communication to affected consumers about the error, how it may have impacted them, and what recourse they have if they were issued loans at a higher rate or denied a loan due to the incorrect credit scores [130993, 131036]. 4. Collaborate with lenders to address the impact of the software failure on consumers, potentially by offering new loans to those affected to secure better interest rates and allowing rejected applicants to reapply [131036]. 5. Enhance data security measures to prevent future incidents like the 2017 data breach that compromised the personal information of millions of people [130993, 131036].
References 1. Equifax company statement 2. Housing agency Freddie Mac 3. Trade publication National Mortgage Professional 4. Wall Street Journal 5. Bank executives and other sources familiar with the errors 6. Equifax CEO Mark Begor 7. Shalomim Halahawi, a rabbi from Georgia 8. Twitter user with the handle Emocane 9. Lenders mentioned in The Wall Street Journal article

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident having happened again at one_organization: - Equifax, the credit giant, experienced a software failure incident related to incorrect credit scores being sent to millions of consumers. This incident is not the first data issue for Equifax, as in 2017, the company faced a data breach compromising the personal information of nearly 150 million people [Article 130993]. - Equifax acknowledged a glitch in June related to incorrect credit scores, with the CEO claiming it would not be significant. However, sources revealed that millions of Americans were impacted by the incorrect credit scores, affecting their ability to apply for loans [Article 131036]. (b) The software failure incident having happened again at multiple_organization: - The articles do not mention any other organizations experiencing a similar software failure incident related to incorrect credit scores.
Phase (Design/Operation) design, operation (a) The software failure incident in the Equifax case was primarily attributed to a "coding issue" that occurred when making a change to one of Equifax's servers [130993]. This indicates a failure related to the design phase, where a mistake in the coding process led to the incorrect credit scores being sent to millions of consumers. (b) The software failure incident also had implications for the operation phase, as consumers seeking loans were affected by the inaccurate credit scores provided by Equifax. The errors were significant enough to alter the interest rates available to consumers and even led to some applicants being rejected from applying for loans altogether [131036]. This shows how the operation of the system, specifically in providing credit scores to lenders and consumers, was impacted by the software failure incident.
Boundary (Internal/External) within_system (a) within_system: - The software failure incident at Equifax was caused by a "coding issue" within the system when making a change to one of Equifax's servers [130993]. - Equifax acknowledged that the issue was a 'coding issue' that led to incorrect credit scores being sent to millions of consumers seeking loans [131036]. - Equifax stated that the glitch did not affect the vast majority of consumer's credit reports, indicating that the issue originated within the system [131036]. (b) outside_system: - The Equifax software failure incident was not attributed to factors originating from outside the system in the articles provided.
Nature (Human/Non-human) non-human_actions (a) The software failure incident occurring due to non-human actions: - Equifax experienced a software failure incident where incorrect credit scores were sent to millions of consumers due to a "coding issue" when making a change to one of Equifax's servers. This issue resulted in the potential miscalculation of credit scores, impacting consumers seeking loans [130993, 131036]. (b) The software failure incident occurring due to human actions: - The software failure incident at Equifax was attributed to a "coding issue," indicating that the contributing factor was introduced without direct human actions [130993, 131036].
Dimension (Hardware/Software) software (a) The software failure incident occurring due to hardware: - There is no specific mention in the articles about the software failure incident occurring due to contributing factors originating in hardware [Article 130993, Article 131036]. (b) The software failure incident occurring due to software: - The software failure incident in Equifax was attributed to a "coding issue" when making a change to one of Equifax's servers, resulting in the potential miscalculation of credit scores [Article 130993]. - Equifax acknowledged that the issue with incorrect credit scores for millions of consumers was due to a 'coding issue' and claimed that the glitch did not affect the vast majority of consumer's credit reports [Article 131036].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident related to Equifax providing incorrect credit scores for millions of consumers between March and April was non-malicious. The incident was attributed to a "coding issue" when making a change to one of Equifax's servers, leading to the potential miscalculation of credit scores [130993, 131036]. Equifax acknowledged the glitch and stated that it was not something of note for the company, with the CEO mentioning that the impact was going to be quite small and not meaningful to Equifax [131036]. The company worked on fixing the issue and provided updated credit information to lenders to address the situation [131036]. Additionally, Equifax mentioned that the glitch did not affect the vast majority of consumers' credit reports and that for those consumers who did experience a score shift, only a small number of them may have received a different credit decision [131036]. The incident caused significant real-world impact, with some consumers potentially being wrongfully denied credit due to the incorrect credit scores provided by Equifax [130993].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The software failure incident related to Equifax sending incorrect credit scores to millions of consumers was primarily due to poor_decisions. The incident was attributed to a "coding issue" that occurred when making a change to one of Equifax's servers [130993]. Equifax acknowledged the glitch but downplayed its impact, with the CEO claiming it would not be significant [131036]. Additionally, Equifax did not provide clear information on how affected consumers could determine if their credit scores were incorrect or what recourse they had if they were issued loans at a higher rate or denied credit due to the errors [130993]. (b) The software failure incident could also be attributed to accidental_decisions as Equifax mentioned that the issue was a "coding issue" that resulted in the potential miscalculation of credit scores [130993]. The company stated that the glitch did not affect the vast majority of consumer credit reports and that for those consumers who did experience a score shift, only a small number of them may have received a different credit decision [131036]. This suggests that the errors were unintended consequences of the coding issue.
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident occurring due to development incompetence: - Equifax experienced a software failure incident where incorrect credit scores were sent to millions of consumers due to a "coding issue" when making a change to one of Equifax's servers [130993]. - Equifax acknowledged the glitch in June, with the CEO claiming that the impact would be small and not meaningful to the company [131036]. (b) The software failure incident occurring accidentally: - The software failure incident at Equifax, resulting in incorrect credit scores for millions of consumers, was attributed to a 'coding issue' that was fixed after being identified [131036]. - Equifax stated that the glitch did not affect the vast majority of consumer credit reports and that for those consumers who did experience a score shift, only a small number of them may have received a different credit decision [131036].
Duration temporary (a) The software failure incident in the Equifax case was temporary. The incident occurred due to a "coding issue" when making a change to one of Equifax's servers, which resulted in the potential miscalculation of credit scores for millions of consumers [130993]. Equifax mentioned that the issue was fixed and did not affect the vast majority of consumer credit reports [131036]. The glitch lasted for a specific period, from March to April, impacting consumers seeking auto loans, mortgages, and credit cards during that time frame [131036]. Equifax's president of U.S. Information Solutions stated that for those consumers who experienced a score shift, only a small number of them may have received a different credit decision [131036]. (b) The software failure incident was not permanent as it was attributed to a specific coding issue during a certain timeframe and was subsequently fixed by Equifax [130993, 131036].
Behaviour value (a) crash: The Equifax software failure incident did not involve a crash where the system loses state and does not perform any of its intended functions. The issue was related to incorrect credit scores being sent to lenders, affecting consumers seeking loans [130993, 131036]. (b) omission: The software failure incident did not involve the system omitting to perform its intended functions at an instance(s). Instead, the issue was about incorrect credit scores being provided to consumers, impacting their loan applications [130993, 131036]. (c) timing: The Equifax software failure incident was not about the system performing its intended functions correctly but too late or too early. The issue was related to incorrect credit scores being sent to lenders during a specific timeframe, affecting consumers seeking loans [130993, 131036]. (d) value: The software failure incident was primarily about the system performing its intended functions incorrectly. Equifax provided incorrect credit scores to millions of consumers, affecting their ability to apply for loans and potentially leading to wrong credit decisions [130993, 131036]. (e) byzantine: The Equifax software failure incident did not involve the system behaving erroneously with inconsistent responses and interactions. The issue was more straightforward, focusing on the incorrect calculation and reporting of credit scores to lenders [130993, 131036]. (f) other: The Equifax software failure incident can be categorized as a value-related failure where the system performed its intended functions incorrectly by providing inaccurate credit scores to consumers, impacting their loan applications and potentially leading to financial consequences [130993, 131036].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (a) death: People lost their lives due to the software failure (b) harm: People were physically harmed due to the software failure (c) basic: People's access to food or shelter was impacted because of the software failure (d) property: People's material goods, money, or data was impacted due to the software failure (e) delay: People had to postpone an activity due to the software failure (f) non-human: Non-human entities were impacted due to the software failure (g) no_consequence: There were no real observed consequences of the software failure (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? The articles do not mention any consequences related to death, physical harm, impact on access to food or shelter, or impact on non-human entities due to the software failure incident reported by Equifax [130993, 131036]. The primary consequence discussed in the articles is the impact on people's credit scores, potential denial of credit, and the financial implications for consumers seeking loans.
Domain finance (a) The software failure incident reported in the articles is related to the finance industry. Equifax, a credit reporting company, experienced a technology snafu that resulted in incorrect credit scores being sent to millions of consumers seeking loans [Article 130993, Article 131036]. This incident had a major real-world impact as it potentially led to some borrowers being wrongfully denied credit or receiving loans at higher rates due to the coding issue in Equifax's servers. (h) The failed system was intended to support the finance industry, specifically in the area of credit reporting and lending services. Equifax's software glitch affected consumers applying for auto loans, mortgages, and credit cards, impacting their credit scores and potentially altering the interest rates available to them [Article 130993, Article 131036]. (m) The software failure incident is not related to any other industry mentioned in the options provided.

Sources

Back to List