Credit is important to many frequent flyers who rely on travel credit cards to fuel and fund their travel needs. This week Equifax, one of three credit reporting bureaus in the US, announced the discovery of a data breach to their customer files. While the company seemed to have a plan in place, it became clear this week that their response was quite amateur in fact. But did the credit giant put even more customers in jeopardy through their response?
Investigation and Breach
News this week broke about the data breach that happened over an extended period from mid-May through July and purportedly only affected those who had a credit dispute. I mentioned my own credit reporting issue as a result of Capital One accepting a charge after I closed my account, but failed to report that I had to call in to file the dispute as the website wasn’t processing my request.
In retrospect this seems quite obviously to be a consequence of the data breach. The site said nothing at the time of my filing, however, that there had been a breach. It wasn’t yet public information, though by the time I had filed Equifax not only knew of the breach but had completed their investigation, took down the ability to file disputes online, but still waited to tell customers like me, entrusting the company with further personal information.
It feels pretty slimy and maybe careless.
Lessons learned from the Sony Playstation and Target hacks provide a standard script.
- Inform the public
- Offer free identity protection to possible affected parties
- Disclose as much as possible
- Enlist an outside specialist to secure systems
Following that model precisely, Equifax has done just that. In this website they setup solely for the purpose of this process, the brand outlines their initiatives. It serves as a notice to the public though the company also reached out to media, and I cited CNN in my post.
It also shouldn’t be any surprise (and practically no out-of-pocket cost) for the credit bureau and identity protection company to offer free protection to those affected. This is literally the least they could do, the very least. In fairness it is probably the service most desired by victims of the breach, but it is also like IHOP giving out free pancakes to customers that may have been harmed as a result of doing business with the brand. Other than the loss of those customer’s identity protection business, it’s not a big ask for Equifax to provide this to the victims.
While Equifax disclosed some of the information they have garnered, they still left far too much out. For example, here are some simple questions that still remain for me:
- If only 209,000 customers were possible affected, why are 143 million at risk?
- How did this happen? Assuming that the security experts have closed the entrance, can Equifax not now disclose what happened?
- Why can’t customers immediately protect themselves? You have to wait until an appointed day to officially register for your free protection. Which is provided by Equifax… why?
Rollout of the Response
So bad. If you’re a business that protects sensitive private data, you should have an ironclad plan for what would happen if there was a breach. Other companies have drills for cyber threats and don’t hold nearly the same level of sensitive personal information as Equifax, other companies have a better plan.
This came across as really quite amateur and that scares me to death. I don’t get to determine whether or not Equifax gets to manage my personal data in the future even though they can’t handle it in the present. A series of their mistakes in this rollout suggest that leadership for the business is approaching this in a cavalier manner despite their words to the contrary.
Original language suggested that by accepting the identity protection services, victims would forgo their right to bring suit against Equifax. They have since clarified this position on their website in all caps remarking:
“NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT
They made it clear because “customers” were up in arms and it was not clear before.
When logging into the site and checking your status it was not clear whether or not you had been affected. What?!? They rolled out a specific site to let you see if you were affected and then it didn’t tell you whether or not you were? I didn’t know when I tried it for myself. But I guess now you can trust them because it totally works and stuff:
” YOU CAN DETERMINE YOUR STATUS IMMEDIATELY
Some consumers who visited the website soon after its launch failed to receive confirmation clarifying whether or not they were potentially impacted. That issue is now resolved, and we encourage those consumers to revisit the site to receive a response that clarifies their status.”
Which meant that their call centers were probably flooded…
“EXPANDED OUR CALL CENTER
We have tripled our call center team to over 2000 agents and continue to add agents.
Our goal is to make this process as convenient and consistent as possible. We will continue to identify steps to improve this process.”
Then it came to light that the site created to check whether or not you are affected was not using the latest and greatest in cyber security technology. And was using a stock version of WordPress. And had a less than stellar security certificate. And the site wasn’t even registered to Equifax. The tech blog, ArsTechnica, covered this perfectly.
“What’s more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.
Another indications of sloppiness: a username for administering the site has been left in a page that was hosted here.”
Here is the thing. The state of corporate America today and the out-for-blood societal reactions (some could argue that this is just such a reaction) have made it necessary to plan for catastrophic events in advance, even simulate responses to sharpen skills. The harsh reality is that if there is a major event, every action the company takes will be closely watched and scrutinized, fairly or unfairly. This exact case should have been one of their disaster scenarios. If you run an airline, you should have a plan in place in the event of an aircraft crash or hijacking. It’s unpleasant to think about, but it’s the business they are in. If you run a bank, you ought to have something ready in the case of a bank robbery, a run on the bank or liquidity issues.
It seems like Equifax did have a plan but either followed it terribly or didn’t take it seriously enough to think it could happen to them. Setting up a WordPress site and requiring potentially affected customers to give limited portions of sensitive information was a bad plan.
I haven’t seen anyone ask the question yet (though I could have missed it) you I will pose it here: If only 209,000 were affected why not contact them individually? Send an email, or place a phone call along with some verifiable security measures, that inform the affected that their information could be compromised, what they intend to do about it and what consumers should know. Why not already set up the identity protection for them in advance? Protect them first while the details are sorted out.
Meanwhile, I am over here filing a dispute to the same system they knew had been the source of the breach and I know nothing about it though Equifax had for several weeks. That’s bush league at best.
Tone-Deaf and Flat-Footed
I am not one to call for CEOs to get canned over events that happen at their organization – they can’t be everywhere all the time. I am one, however, to judge them on their response. When the Dr. Dao incident happened at United, I didn’t even blame CEO Oscar Muñoz for his initial response though he should have looked at the evidence first. People get bumped from airplanes all the time, some of them do not understand the contract of carriage and that the airline has a right to oversell a plane, and that customers accept the right of the airline to involuntarily deny boarding. His response seemed in line with the public reaction to that policy before he knew the whole extent of the matter. If anything, his reaction was far too quick and that is where I saw room for improvement.
Looking at the reaction to this event, leadership at Equifax had so many blunders it’s no wonder they were caught asleep at the wheel. When your business is holding people’s most sensitive information, your focus should be built around security. But Equifax (along with the other bureaus) would no doubt be a high value target for constant attacks from nefarious hackers. So plan, and execute when the plan goes south. Instead it came off as flat-footed.
Instead, leadership sold off $1.8MM in shares after the Equifax (though before these specific executives) knew of the problem and began their investigation but before the news was announced to the public causing a likely drop in the stock price. One thing to note about public companies, some executives that hold certain classes of shares are required to plan their asset sales well in advance. This was not such a sale. Assuming these three executives truly didn’t know about the breach and couldn’t be informed for security reasons, but were senior enough for these holdings to constitute a “small” portion of their holdings – buy the shares back! In a situation like this – optics matter. The optics on the stock sale loom large as it suggests that they had time and foresight to protect themselves when they didn’t seem to have time to protect the identities of millions of Americans.
The timeline is what really tells the story of Equifax’s poor approach and tone-deaf manner in this breach. The attack took place over several 8-10 weeks. Their investigation took another few weeks while they prepared their response simultaneously. Then the announcement comes and still delays affected customers by more than a week just from registering for the free protection that they could have turned on immediately?
Finally, someone should really consider starting a crisis management social media team to come in and take over for companies that experience disasters like this. The Equifax twitter approach is the definition of tone deaf.
Bad things happen to good companies. It’s their response that matters in these situations, and Equifax looked like a very small company caught in a very big mess. They are entrusted with the most sensitive data a person possesses, and they seemed completely unprepared despite weeks of planning and notice.
What do you think about their handling of the situation? Were you an affected party?