How Not to Respond to a Data Breach
Equifax’s bungling provides a primer for others on what not to do
On Sept. 7, 2017, the consumer credit reporting firm Equifax reported the potential exposure of personal data for 143 million Americans. Equifax collects and maintains vast amounts of private and confidential information from approximately 800 million consumers worldwide.
While other breaches have technically affected more individual accounts than the Equifax hack, the information that may have been exposed (including full names, Social Security numbers, birth dates, addresses, credit card numbers, and driver’s license numbers) may qualify this event as the “worst leak of personal info ever,” as Ars Technica’s Dan Goodin put it in his Sept. 8, 2017 article headline.
However, while it is still an unfolding story, the worst part of the Equifax breach may be its response and how the company is likely making the situation far worse. Less than a month since the breach was disclosed publically, Equifax appears to be providing a clear example to companies and professionals on how not to respond to a data breach.
The breach reportedly was discovered by Equifax on July 29, 2017, but was not reported until nearly six weeks later. Undoubtedly, some of that time was necessary for Equifax to retain cybersecurity company Mandiant to assist in a comprehensive review to determine the scope of the intrusion and specific data impacted.
Frustratingly to consumers, the disclosure of the breach did not indicate who was specifically affected and what information was breached. It did not appear that Equifax was notifying affected consumers directly. Instead, Equifax encouraged consumers to visit a recently created website, equifaxsecurity2017.com, to enter in more private information (last name and last six digits of a Social Security number) in order to learn whether they were a victim or not.
When consumers entered the information to the new reporting website, they found that they could receive a different response if they entered the same information from a mobile device or from a computer, as noted by KrebsonSecurity.com’s Brian Krebs in the article “Equifax Breach Response Turns Dumpster Fire.” In addition, the new website was only working intermittently and gave confusing responses.
Instead of building a page to handle the breach from its trusted website, Equifax.com, the new website contained bugs and other errors, including a possible problem with its SSL certificates, which was noted by Wired’s Lily Hay Newman in “All the Ways Equifax Epically Bungled its Breach Response.” This exacerbated the frustration of consumers about the six-week delay in reporting the breach.
Notification and Response Problems
Equifax’s official Twitter account mistakenly tweeted the wrong website for consumers to visit. Luckily, according to Newman’s article, the false website was not malicious and was purposely set up by a web developer to demonstrate how easy the new reporting website was to spoof and how ill-advised it was to not use the main company’s website. Newman notes that the fake website was downloaded approximately 200,000 times, though, and could have done a lot of additional harm to consumers.
Equifax offered to enroll consumers in TrustedID Premier, a three-bureau credit monitoring service also operated by Equifax. The credit monitoring service was only for one year and, presumably, charged consumers after the first year of free coverage ended.
In addition, Krebs’ article notes that, in the terms of service legalese, Equifax required all consumers utilizing the free year of credit monitoring to waive their rights to future class-action lawsuits against Equifax. Equifax later claimed that the legalese requiring the use of arbitration and limits to class-action lawsuits did not apply to this breach.
Within days of Equifax internally learning of the breach, and five weeks before notifying the public and investors, three top Equifax executives (including the chief financial officer, president of workforce solutions, and president of information solutions) sold nearly $2 million shares of stock in the company.
Equifax claims that these particular executives “had no knowledge that an intrusion had occurred at the time they sold their shares,” according to the report “Credit Reporting Firm Equifax Says Data Breach Could Potentially Affect 143 million U.S. Consumers,” from CNBC’s Todd Haselton. However, at a minimum, the optics of high-ranking executives selling shares within days of a very large breach does not look good.
At best, it gives the impression that the company was not taking the breach seriously enough to notify executives who, based on their titles alone, seemingly should have been involved. As a result, the sale of shares may result in the SEC taking a closer look at the transactions.
The forensic investigation also indicated that the vulnerability in the Equifax network was known for at least two months prior to the breach. Worse, Equifax did not employ security patches that could have prevented the breach in the first place.
This failure gives the impression that Equifax did not take the protection of private and confidential data seriously. Worse, the breach response demonstrated that Equifax did not appear to be trained or ready to respond appropriately to a breach event.
Data breaches are serious for any professional or company. However, the breach response can demonstrate how being prepared and taking decisive and sound action can help alleviate a difficult situation. A haphazard response that is slow and filled with missteps only adds to the problems and the damage to a company’s reputation. Through that lens, Equifax has clearly shown other companies and professionals how not to respond to a data breach.