Why Equifax Gets an F for Incident Response
While everyone was fixating on hurricane coverage over the past several days, another storm was brewing—a massive data breach announced at Equifax. And unlike those living in the Caribbean, Gulf Coast and Eastern Seaboard, this one impacts up to half of the U.S. population.
It’s OK if you didn’t realize that one of the nation’s largest credit reporting agencies failed to keep cybercriminals from stealing vital data on up to 143 million consumers. Equifax leaders timed their announcement so it would get buried like the rubble accumulating in hurricane-ravaged areas. The breach was discovered in late July and is believed to happen in May; yet, the company didn’t bother to tell anyone until six weeks later.
I’ve covered the cybersecurity industry since 2000 and have watched big data heists unfold. I’ve also been the victim of such crimes. I’ve suffered the consequences of identity theft and inconveniences of a credit freeze. Sometimes companies delay notifications while they work with the authorities and digital forensics experts. This breach, though, feels different.
Consider what emerged in the two days following the Equifax announcement:
- Three of the company’s top leaders sold some of their company stock after the breach was discovered but before it was announced.
- A legal team injected a clause in the fine print of a site set up to help victims that banned these users from joining any class-action lawsuits.*
- The company set up a phishy looking site to help identify who was at risk, then told those impacted they would get back to them in several days.
The gall of some people
That site for consumers to check if they are at risk of compromise is particularly troublesome. In addition to looking like a malicious site, it’s baffling why the company would continue to collect sensitive data in this manner. It’s also galling that their gesture to help mitigate damage they caused is for victims to sign up for a credit monitoring service that they own. They say consumers get a free year’s worth of monitoring before incurring monthly charges.
Yes, you definitely want to check your credit. Think twice, though, about trusting the same company that caused the problem. And don’t believe that after a year the risks go away.
We didn’t ask for this
By law, companies must (eventually) disclose when they suffer a breach. And they do so almost daily now. In turn, the market can express its displeasure with such lax security, if that’s the case, by no longer giving these companies their business. Companies depend on users, clients and customers to stay in operation; if enough people leave, they go out of business.
Equifax and data warehouses like it are different. They pull in our private, sensitive data without our permission and then sell it to companies trying to determine if we are worthy of credit or special offers.
If we sign up for a so-called free service, there is still a cost and it’s usually permission to extract and possibly sell our personal data. That’s why there are terms of service and privacy statements we must agreed to before being allowed in. The Equifaxes of the world get rich bypassing those rules.
Let’s follow the EU’s lead
Later this month I’ll be moderating a panel at (ISC)2’s Security Congress on the EU General Data Protection Regulation, sweeping legislation that puts more control in European citizens’ hands. For one, companies that experience a breach must report it to a supervisory authority within 72 hours. And EU citizens have the “right to erasure,” sometimes referred to as the right to be forgotten. Upon request, a business must delete any personal data they have on that consumer.
This is a big deal in the industry we cover for our clients. For all industries, even.
If enough consumers were to tell Equifax and its rivals like TransUnion and Experian to delete any records it has on each of us (by request, of course), the company would lose its most valuable asset. And without anything credible to sell, it would have to change its business model or close shop.
Many of us infuriated with the company would like to see that happen, but it won’t. U.S. laws don’t favor consumers like they do (or soon will) in the EU. To be clear: Data breaches happen all the time; it’s how companies behave after a discovery that truly defines them.
So, carefully consider who “owns” your most valuable asset: your unique identity. And keep close tabs on your personal financial and medical records for signs of fraud. Forever.
As the saying goes, if you aren’t paying for a product, then you are the product.
*That troublesome clause drew so much ire from consumers (and attention from certain attorneys general) that Equifax subsequently dropped it.