The Equifax hack is one of the nation’s largest ever data breaches, affecting up to 143 million Americans or nearly half the population in the United States.
From mid-May of 2017 through July 2017, hackers got into Equifax’s systems and gained access to Social Security numbers, names, addresses, birth dates, and even certain people’s driver’s license numbers and credit card numbers. Additionally, some folks in Canada and the U.K. had their data stolen in the Equifax hack too.
At this point, the full impact of this complex drama is not yet known and could take months or even years to unfold.
But with so much at stake – for both consumers and Equifax – and with so many individuals impacted by this historic data breach, it’s worth noting what Equifax has already gotten right, and terribly wrong, in handling this unfortunate fiasco.
Sadly, there are a lot more negatives than positives thus far.
Here’s a look at both sides, in the hopes that Equifax and other organizations will learn some do’s and don’ts when the next inevitable data breach occurs.
The Equifax Hack: What They Did Right
-
The timing of the breach announcement
Critics may disagree, but I believe Equifax did precisely the right thing – in many ways – by announcing this data breach when they did.
Equifax says they first detected the hack on July 29, 2017. The company told the public about it on September 7, 2017. Some people have jumped all over Equifax for this nearly six-week gap. But jeez, what do you expect?!
Equifax had to wait to make an announcement about an incident of this magnitude. To do otherwise would have been dangerous, irresponsible and foolish – putting Americans’ data further at risk.
I’m sure their very first priority, upon detecting this hack, was to stop it. Equifax no doubt had to also step up their cyber security and buttress their electronic defenses.
They company said they notified authorities, hired a firm to determine the scope of the breach, launched and concluded a preliminary investigation, and took other measures to mitigate this crisis – including setting up a website and a toll-free number for consumers to get more information about the Equifax hack.
Six weeks, in my opinion, was not an unreasonably long time to handle all of this considering the scope of the review, the amount of data that had to processed, and the investigative analysis that had to first get done to figure out what had gone wrong.
Besides, if company officials had immediately told people what occurred with the Equifax hack – before knowing all the facts that it’s provided thus far – can you imagine the heightened level of confusion, misinformation and problems that such a premature disclosure would have caused?
Another point about the timing of the announcement is worth noting.
Equifax revealed this data breach early afternoon on a Thursday.
They didn’t do it late at night or make the announcement after business hours on a Friday, to try to bury the news. They didn’t wait to reveal this mega-breach over the weekend, when they had to know that TV news would be dominated by coverage of mega-Hurricane Irma.
Less honest companies might have tried to weasel out of being in the harsh glare of the media spotlight, by disclosing a cyber hack at some less-than-peak time in the news cycle.
But Equifax didn’t go there. I give them brownie points for that.
-
Equifax CEO Richard Smith immediately personally apologized
I can’t stand it when corporate executives don’t fess up or recognize their own shortcomings amid a scandal.
It’s even worse when execs intentionally look past company and employee ineptitude, disregard wrongdoing and a lack of professionalism, or try to pin the blame elsewhere when things go awry.
Equifax doesn’t appear to have done any of that.
Even though cyber thieves set this catastrophe in motion with their illegal shenanigans, Equifax’s CEO took responsibility for the Equifax hack, and I give him credit for adopting that initial position.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Equifax Chief Executive Officer Richard Smith said in a YouTube video.
Obviously, that apology isn’t enough. But it’s a good start.
Despite the apology, and the steps it’s taking to prevent another breach, Equifax has already been hit with a proposed $70 billion class action lawsuit filed in a Portland, Oregon federal court. The plaintiffs alleged Equifax was negligent in failing to protect consumer data. Another lawsuit out of Atlanta makes similar claims against the company in the wake of the Equifax hack.
As the fallout continues, I’m sure some people will even call for Smith’s resignation.
But in my opinion, this CEO did the right thing. He didn’t wait for the inevitable backlash to say sorry. He apologized right away, and he did so with an acknowledgement that Equifax has to do a better job of safeguarding client info.
The Equifax Hack: 4 Ways Equifax Screwed Up
I’ll leave it to the courts to decide whether Equifax will bear any legal responsibility for the breach itself. My guess: probably not. But who knows?
Meantime, however, Equifax is now in the throes of a major public relations crisis, not to mention dealing with the fallout to its stock price.
Equifax’s stock suffered a predictable, knee-jerk reaction: on Friday, the day after the company announced the Equifax hack, it’s stock fell about 14%. Additionally, Moody’s Investor Services predicted the breach would negatively impact Equifax’s finances over the next year or so, a Yahoo Finance report said.
Regardless of whether or not the stock rebounds, Equifax will definitely pay a price on the P.R. front for botching things amid its faulty execution of guiding consumers through the “what to do next process” in the wake of the breach announcement.
Here’s are 4 ways Equifax screwed up royally, and eroded consumer trust, in its initial handling of this enormous data breach.
-
It promised upfront answers to consumers then failed to deliver
Equifax urged people to go visit http://equifaxsecurity2017.com, which is the website Equifax created to help you determine if your information was illegally accessed.
On the site, you must enter your last name and the last six digits of your Social Security number.
Based on that information, Equifax says you will receive “a message indicating whether your personal information may have been impacted by this incident.”
Well, that’s not actually what is happening.
Plenty of people – myself included – followed Equifax’s instructions and are still in the dark about whether or not our information was compromised.
After entering the data Equifax requested, I expected to get some kind of clear and direct message about this matter, something to the effect of:
“Yes, it appears that your data was illegally accessed” or
“No, it does not appear that your data was illegally accessed”
But Equifax provided no such clarity.
Instead, I just got an online message saying “Thank you” and telling me to visit the site again in a week in order to complete my free enrollment in the company’s credit monitoring service, TrustedID Premier. That service includes:
On Equifax’s newly established website for consumers, the company had also said: “Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier.”
Ultimately I, like countless other people, was left wondering: So did crooks tap into my information or not?
This was an epic failure – one that could have been avoided with more care and attention to how consumers would experience this process.
-
Equifax blew it on the telephone customer service front
Equifax also recommended that consumers with additional questions contact a newly set up, dedicated call center at 866-447-7559. Equifax promised that the call center would be open every day (including weekends) from 7:00 a.m. – 1:00 a.m. Eastern time, in order to help people.
But writers from Fast Company said they called the customer service line at 5:45 pm on Thursday – only to get a recorded message saying they were calling after business hours.
Bloomberg writer Polly Mosendz shared on Twitter that she had to wait 48 minutes for customer service help. When an Equifax rep finally got on the phone, he said he worked for a company to whom Equifax had outsourced phone duties, and the guy Mosendz spoke to couldn’t tell her whether her data had been compromised.
I had pretty much the same experience as Mosendz.
When I called Equifax’s toll-free number twice on the day after the Equifax hack announcement, I initially got busy signals; yes, busy signals!
During the second call, just before I was about to hang up, a recorded message came on saying that if I was calling about “the incident” please hold on for further help and information.
I waited on hold for 9 minutes before a customer service rep got on the line.
Unfortunately, he was literally no help whatsoever.
He simply read me a script about the data breach and referred me to the new Equifax website.
When I told him that I had used the website but I still didn’t know if my data was compromised and I wanted to know if I was affected or not, he told me that he worked for a “third party” and did not have any access to my credit files so he didn’t know the answer to the question I was posing.
In the midst of a crisis like this, why on earth did Equifax refer people to a “dedicated” customer service line for so-called “help” with “additional questions” only to subject consumers to incessant phone delays, outsourced know-nothing workers, and an understaffed call center?
Totally ridiculous.
-
Equifax gave the appearance of financial wrongdoing
One of the most damning narratives that have emerged about Equifax in the wake of this data breach is the idea that top company officials tried to shield themselves financially from the fallout of this hack.
According to Bloomberg, three Equifax executives sold nearly $1.8 million in stock after the data breach was discovered on July 29, and before the public was notified about Equifax hack.
“Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans,” Bloomberg reported.
An Equifax spokeswoman said none of the three executives knew about the data breach before they sold their stock. Even if that’s true, the damage has already been done.
Hundreds of media outlets have reported the poorly timed stock sales. Most news stories either strongly implied that some fishy business had gone on, or flat out stated that Equifax execs were guilty of malfeasance or insider trading.
Assuming we believe Equifax’s assertion that those stock sales were done without the executives knowing about the breach, how could the Equifax team (whoever did know about the hack) be so stupid as to not immediately advise the company CFO (of all people!) about an unprecedented data breach of this scale?
July 29 was a Saturday and the CFO sold his stock three days later, on Tuesday, Aug. 1, 2017, according to regulatory filings. It’s not entirely implausible that the CFO, for whatever reason, didn’t get wind of the breach over that weekend when the Equifax hack was detected. (He should have though).
But you mean to tell me that the CFO went to work on Monday, July 30th or even on Tuesday, August 1st and simply never got wind of this calamitous news?
Talk about being out of the loop.
If this is truly the case, I don’t know which is scarier: The fact that CFO was not instantly informed of the data breach by his Equifax colleagues; or the fact that Equifax, which is supposed to keep our sensitive personal data safe, didn’t even detect the hack for more than two months into the episode.
-
Equifax initially unfairly strong armed consumers
If you immediately hopped onto the website Equifax set up, you may or may not have read the fine print, in the form of the terms of service Equifax posted online.
The gist of it, as The Washington Post’s Brian Fung reports, is that buried in Equifax’s terms of service is a clause that could potentially prohibit you from joining any class action lawsuits against Equifax tied to this breach.
Now before you scream bloody murder, know that Equifax has already tweaked this. Bottom line: you can opt out of this provision if you notify Equifax in writing within 30 days. I’m sure the lawyers were involved in all of this.
But again, how moronic of Equifax staff to throw that language in there in the first place!
Strong-arming consumers into online agreements that force them to give up their legal rights just to check on their credit data was just wrong. And that gives Equifax yet another black eye in this whole mess.
All of these blunders, unfortunately, were self-inflicted wounds caused directly by Equifax – not the hackers.
In fairness to the company, I know this must be a fast-moving, sensitive PR and corporate nightmare for Equifax. It’s a challenge to everything right for any company or organization victimized by a large-scale, high profile data breach.
And let’s not forget, of course, that Equifax is far from alone in getting hacked. Bigger attacks have struck Yahoo, LinkedIn and Adobe, and the laundry list of businesses and entities that have been hacked seems to grow nearly every day.
Data breaches have occurred everywhere from financial services firms like TD Bank and Citigroup to retailers such as Target and Home Depot.
Heck, even some of the most sensitive federal agencies of the U.S. government – including the IRS and the Office of Personnel Management – have been hacked!
So clearly, more needs to be done in the effort to stay ahead of online crooks and cyber thieves intent on wreaking havoc, stealing consumer’s private data, and making a buck off of unsuspecting people’s good name or credit.
Until then, we all have to remain vigilant and proactive in protecting our data. You can start by take smart steps like getting a credit freeze or putting a fraud alert on your credit files.
By putting an alert on your credit files or even locking down your credit files, at least you make it way tougher for cyber criminals to harm your credit.
It probably also wouldn’t hurt to sign up for the one year’s worth of free credit monitoring and identity theft services Equifax is now offering consumers.
After all, that’s the least Equifax can do to start making things right.
#Equifaxhack #Equifaxbreach #EquifaxDataBreach
