What happened, the bungled response and some observations.
Much has been written (and will continue to be written!) about the Equifax security incident. Labelled the largest corporate data breach in history, when Equifax notified of the breach in early September 2017 it immediately hit the headlines and has since continued to garner a lot of attention.
The following is a summary of some of the most important things to know about the breach and the aftermath to date:
The breach: Between mid-May and July 2017 hackers accessed data held by Equifax through a publicised vulnerability in a web application, for which there was a well-known patch available. Data involved in the breach included Social Security numbers, birth dates, addresses, some driver’s license numbers, and about 209,000 credit card numbers. A hundred and eighty-two thousand “dispute documents,” essentially complaint submissions that include personal identifying data, were also compromised in the breach.
Time between detection and notice: Apparently 6 weeks elapsed between the time the breach was discovered and notification being made by Equifax. Was this too long given the gravity of the breach? This will certainly be one of the key issues that will be examined in the coming months.
It may be that Equifax knew about the breach for more than 6 weeks. Visa and MasterCard also sent confidential alerts to financial institutions across the United States, warning them about more than 200,000 credit cards that were stolen in the epic data breach. It was reported that these alerts appeared to suggest that hackers were first able to steal credit card numbers from Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time: when hackers accessed the company’s systems in mid-May 2017.
Within days of news of the leak, the Australian Information Commissioner opened two investigations into the incident, one into Red Cross and the other into Precedent, referring to the large number of Australians whose personal information was involved, and the sensitivity of the data as the reasons for undertaking the investigation.
The bungled response: Some have said that Equifax’s response to the massive data breach ‘has been a lesson in what not to do.’ From pointing consumers to a sketchy, ill-conceived website on a separate domain to tweets pointing consumers to a potential phishing site and calls to the dedicated hotline going unanswered, After hours on the phone, one frustrated customer complained to a personal finance columnist that Equifax’s outsourced customer service told him to “go back to the website and call the number you just called.” Equifax is also alleged to have nearly entirely ignored customers who applied for credit freezes or tried to reach the company, according to comments left on the Federal Trade Commission website. In any case, Equifax’s actions did little to provide consumers with clear, reliable information. https://www.wired.com/story/equifax-breach-response
Equifax also generated considerable outrage when it posted a mandatory arbitration clause on its website immediately after the breach. This clause seemed to require any consumers signing up for free credit monitoring services in the wake of the breach to waive their rights to sue Equifax in court.
Interestingly given such a poorly orchestrated response, Equifax had time to conclude the purchase of an identification protection service called ID Watchdog on August 10, two weeks after Equifax allegedly discovered the data breach but a month before disclosing it publicly.
It’s also been reported that three executives sold their Equifax shares in the days after it discovered the data breach, but the company said the executives, including the chief financial officer, didn’t know about the hack. Not a great look for a publicly listed company.
Reports of previous lapses in security also did little for consumers trust in the Equifax response.
Not surprisingly consumers are reported to feel ‘violated’ as a result of the breach and the poor response.
Also not surprisingly the Equifax share price plummeted and law suits were filed. The share price dropped 18% within four days after the announcement and the share price continues to decline: ‘Equifax’s shares have fallen more than 30 percent since the disclosure of the breach amid mounting criticism from lawmakers, regulators and consumers about the hack and the company’s response to it. At least 24 federal lawsuits have been filed in connection with the breach. Most will likely be combined into a single piece of nationwide litigation.’ These include a suit by a Wisconsin based credit union for fraud-related breach costs.
The most visible response to date has been the resignation of the CSO and CIO amid reports of delays in patching the web server which was the source of the breach. With further law suits filed and inquiries by a US Congressional Committee and the FTC now underway the CEO has also resigned, and an acting CEO is appointed while the CEO stays on as an adviser.
Many commentators have referred to some bigger questions raised by the breach which compromises information about consumers held by a private company for the benefit of its customers, who are not the consumers.
A number of commentators have asked whether private credit bureaus should be able to hold the huge troves of personal information they do. Should we be looking for a better way to balance the power of the credit bureaus and their customers on the one hand, and those of their “subjects” on other. A true accountability and transparency model would support more pro-active engagement by credit bureaus. As an example, in addition to providing consumers with an annual report covering all the personal information they hold (free, without request and as a matter of course), credit bureaus could also notify individuals by e-mail of all changes, queries, and reports; establish a low-cost independent and quick dispute resolution system and ensure all disputes are included in the record and in all query responses and reports.
Other Equifax reports and resources:
How can we help?
Download one of our free guides:
- The new data breach notification laws
- Preparing for a data breach
Check your understanding with one of our Case Studies:
Join one of our webinars:
Attend a workshop:
Have us review your data breach response preparedness:
- Third party supply contract review
- Security incident response plan review
- Cyber incident preparedness exercise
- Cyber insurance review
- Privacy impact assessment or compliance audit
About the Author – Dr Jodie Siganto PhD LLM CISSP
Dr Siganto is a partner in the technology and privacy law and consulting firm, Ringrose Siganto.
Dr Siganto graduated as a lawyer from the University of Queensland and after 8 years in private practice became in-house counsel for Tandem Computers followed by roles with Unisys Asia and Dell based in Singapore. She returned to Australia in 2000, founding Bridge Point Communications (specialists in data networking and security) with two other colleagues. In 2008, she established IT Security Training Australia, specialising in information security and privacy consulting and training. Dr Siganto completed her PhD on privacy and information security practice in 2014. In 2017, she joined with long-time colleague Edward Ringrose in Ringrose Siganto.
Dr Siganto has been sought out by government departments, international corporations and Australian businesses to advise them on privacy and security matters, conducting privacy compliance reviews and privacy and security impact assessments. She has been engaged to act for corporations on the privacy, security and legal implications of moving data to the cloud, to review data sharing contracts and undertake privacy impact assessments.
She has been involved with a range of industry groups, including acting as the Chair of the AISA Policy Committee, and more recently the AISA Education Director. In addition to her other works, Dr Siganto pursues research projects into cyber security issues. She has participated in a study led by Royal Holloway, University of London, which mapped some of the unique traits of information security practitioners in Australia and led AISA’s research into the Australian Cyber Security Skills Shortage.
What does this breach mean for us in Australia? Here are some good tips on practical steps to take to prevent a similar situation occurring:
- Ensure your communications response strategies are tested and well thought out, including, for example, properly secured and crafted web pages, twitter links and hashtags as well as call centre scripts.
- Make sure your response is adequate for the number of people likely to be relying on them e.g. do you have enough call centre operatives to manage the number of expected calls? What do you do if calls exceed expected numbers? Will you know and how will you respond?
- Consider how any past security failures may impact your response to a new incident. A seemingly trivial breach may be more serious in the eyes of the public if it comes after a series of earlier incidents.
- Be sure your plans involve all possible stakeholders including credit card companies, credit bureaus, regulators and other relevant government agencies e.g. ASIC, ATO, Department of Foreign Affairs and Trade.
- Beware of activities that might damage the organisational reputation like executives selling down their shareholdings post breach.
- Work out how to be proactive in the ways your organisation interacts with and responds to customer and other stakeholder concerns.