Equifax disclosed that hackers exploited a vulnerability on its website to access files, which may have included data such as social security numbers, birth dates, and addresses. Simply put, there was enough data swiped from Equifax to start a new identity, hijack a few, and sell information on the black market. What's more jarring is that folks (think your kids) without any credit history were exposed. The data breach occurred between May and July.
And given that Equifax is one of three keepers of your credit score, there's a little emotion involved. In the US, you are your credit score. The credit score is the lubrication of the economy and determines whether you can get a mortgage or car loan or that home equity line.
So, given that backdrop, emotional connection, and more than a month to disclose the breach and figure out a response, you'd think Equifax would be able to rise above complete s**t-show on the report card.
Equifax failed big time, and given that the stock has been pummeled, it's worth asking for a few executive heads to roll. What's more galling about the Equifax response is that there has been a template for handling breaches. The Home Depot, Target, and a bevy of others have followed the playbook. Equifax had a tougher breach to handle, but it's not like it's the first data breach victim in the history of the world.
The post-breach playbook roughly goes like this: Disclose early and often; be transparent, outline the fixes and findings; and toss in identity monitoring for a period. Also, apologize and remedy the security issues.
But the good news for everyone not involved with Equifax is that there's a new template of what NOT to do. Let's go through the screw-ups.
DON'T create a security information site that isn't on your corporate domain. Equifax gets whacked by hackers and what does the company do? Create what appears to be a phishing site. You can't make this stuff up. Equifax sent customers to https://www.equifaxsecurity2017.com. That site isn't on the Equifax domain, and you think twice before even going to it.
DON'T ask for more consumer data that you haven't proven you can protect. Equifax asks for the last six figures of your social security number and last name to determine if you may have been impacted. The last six digits of your social security number only make it easier to guess the first three. Gee thanks.
DON'T offer a tool that appears to determine if you're safe or not, but doesn't hold up to scrutiny. Our own Zack Whittaker entered "test" as a last name and "123456" and was found to have been impacted by the breach. Replies to Whittaker's tweet note the random output from the Equifax tool.
DON'T give vague answers after collecting that data. After you cough up more data Equifax doesn't know how to protect, you get this notification:
DON'T enroll me for an identity service that you already own. Once you enroll for this TrustedID service, you find out Equifax owns it. At least splurge for a rival's service.
DON'T tell me you can't provide a damn calendar reminder notification. Once you click to enroll in Equifax's service, you get this gem...
Translation: Equifax doesn't have the technical knowhow to send you an email reminder. Again, all the burden is on the consumer/victim.
DON'T look clueless on social. Equifax delivered a canned response on Twitter apologizing and understanding the "frustration this causes" in the middle of a tweetstorm.
DON'T legalese the people impacted by your security debacle:
Add it up and Equifax looks like a company with the following:
A massive database with personal information that's not protected well.
Little technology knowhow.
A need for more regulation -- since it has more valuable data on consumers than Facebook or Google.