The Equifax Series: Part 2-A Case Study In How To Botch Incident Response

By: Jason A. Greene, CISO

The Equifax breach was so significant that I wanted to dedicate a short series to exploring its different facets. In Part 2 of the series I’ll use Equifax as a case study in what not to do during incident response.

Part 2 of 7: The Equifax Breach: A Case Study in How to Botch Incident Response

It’s no secret that in the wake of what is possibly the most privacy damaging data breach in the U.S. that the behavior of Equifax leadership has been nothing short of repugnant.

If the disconnect between Equifax leaders and the American public could be summed up in one tweet, it would have to be the tweet last week by one Equifax Twitter account that cheerfully exclaimed, “Happy Friday!”

Just a few days after Equifax learned of the breach—but still six full weeks before they informed the public–three top executives dumped nearly $2 million in shares they had in the company. Unsurprisingly, stocks have tumbled since the company went public with the breach.

Instead of informing victims of the breach; Equifax chose to set up a website where victims could see if their data was compromised. Unlike with lenders, consumers don’t usually elect to send their personal and financial information to credit monitoring companies such as Equifax. Instead, lenders often report consumer information from loan applications and loan activity to these companies. So, this means that people like my parents who have recently bought a car or house, yet have hardly ever use the Internet, are expected to somehow divine that this website exists and know how to navigate it.

This is just the tip of the iceberg.

Not long before the company’s haphazard security practices led to the breach of 143 million consumers’ sensitive personal and financial information, Equifax used the trade association that represents the company to lobby Congress and federal regulators in the Trump Administration to exempt credit monitoring companies from proposed regulations involving class action claims. Specifically, they sought to cap class action damages at $500,00, eliminate punitive damages altogether, and block a rule that barred companies from forcing their customers to waive class action rights because allowing consumers to sue credit monitoring companies “would not serve the public interest or the public good.”

And just what did Equifax do when they established a website where consumers could check to see if their data was compromised? They hid within the fine print a clause that required consumers to waive their class action rights in order to check to see if their data was compromised.

Let that sink in.

Equifax compounded a breach of data with a breach of trust. The company has since backed off this underhanded attempt to avoid liability and also tanked any chance of gaining the protections they sought from Congress and the Trump administration, but their self-inflicted wounds just keep coming.

They have now drawn even closer scrutiny from congressional oversight committees, federal regulators, and the states, all of which I will discuss in Part 3 of this series on what the government can do to protect consumers.

Equifax initially offered one year of free credit monitoring to affected consumers, which adds insult to injury because, as the company surely knows, a social security number is permanent.

In response to predictable consumer outrage over this token offer of protection, Equifax stated on Twitter that it would waive fees for its credit freeze services for thirty days. As one of the three largest credit monitoring services, this does little to protect victims of Equifax’s negligence from cyber criminals who could take out lines of credit from lenders that only use Experian or TransUnion. I’m confident Equifax is also aware of this fact.

My prediction: Equifax will soon offer some sort of trilateral credit freeze option.

I also predict the credit freeze and monitoring could be another ticking time bomb for Equifax in their ongoing PR debacle if not properly managed. For example, if the 30-day free credit freezes are converted into revenue through automatic paid renewals or otherwise gains the company additional paying customers, it will be seen for what I’m sure it is—another underhanded attempt to profit at the expense of the consumers they owed a duty to protect.

It gets worse.

One of the sights the Equifax Twitter account linked to for consumers to get protection didn’t point to an Equifax site, but to a conference in Oregon. In a touch of irony, the conference was called “Trust in 2017: In What & Whom Do We Trust?” Here’s a hint: the answer isn’t credit monitoring and Equifax.

Another link from the Equifax Twitter pointed to an unregistered domain that was vulnerable to hackers, leaving affected consumers open to being doubly victimized.

This morning when I tried to reach Equifax’s data breach impact checker website I received an error message that said “System Currently Unavailable – Error 500”. When I tried to call a customer service hotline, I was told to try accessing the website again the next day. The customer service agent had little helpful advice when I asked if there were other ways to obtain a PIN for freezing my credit.

After trying to access the site for the better part of the morning I was finally able to connect. To my dismay, it revealed that my information may have been compromised. No confirmation, but an ambiguous response that I interpreted as yet another attempt by Equifax to avoid liability.

I tooled around a bit on the site and tried plugging in some fictitious information and somehow received the same response. Is the default website response just to tell all consumers—real or fictional—that they may have had some of their most sensitive personal and financial information compromised at the hands of cyber criminals and possibly for sale on the dark web?

Pardon my outrage, but it’s not like Equifax is the least bit forgiving whenever consumers try to correct an error in their credit report or, heaven forbid, when were late on a car payment one month six years ago.

Consumers and regulators are kindly returning the favor. As of this writing, dozens of lawsuits have already been filed and several government investigations have commenced.

In Part 3 of The Equifax Series I will focus on what role government can play in protecting consumers.