Credit reference agency Equifax must be wondering what, if anything, will be left of its reputation and credit worthiness after its data breach. So far the company has admitted that its much vaunted credit service has given up the details of 143 million customers. Among the data lost are social security numbers, birth dates, addresses, credit card numbers and other personal data.
For many of those customers, the news will bring more misery. US companies have been giving free credit monitoring to people who lost data through a data breach. The US government is of those organisations. Now customers are hit again by a major failure from a company they expected to protect them.
How was the data lost?
Several days after the breach this is still not clear. Evidence so far points to a web application vulnerability. This would have allowed the intruders to launch a range of different attacks resulting in elevated privileges. At this point they would have had access to the data and the means to exfiltrate that data. Until the exact vulnerability is known, it is impossible to say whether Equifax was unfortunate or incompetent.
This was also no smash and grab raid. The attack took place over several months. This allowed the attackers to keep each data exfiltration small enough to prevent easy detection. It will take time to identify precisely how the data moved out of Equifax. Was it just sent to a server? Did it go to a cloud account?
All of this raises significant questions over the capability of the Equifax security team and its processes.
Reputational self-immolation
Breaches happen. They are now part of business. While the impact of the breach in this instance is severe it is not that which is likely to cause long-term reputational damage to Equifax. There are additional ‘actions’ which will have repercussions for the company. Among them are:
- the breach was kept secret for several weeks: this allowed the criminals time to monetise the data which will have been mixed with other stolen data to create highly complete sets of data for individuals; that data will be sold to other criminals and identity thieves
- three directors sold off their shares in an act that was probably insider trading; in doing so they were able to avoid a 12% loss when the breach became public
- customers must agree to not sue if they want compensation.
This last is perhaps the most contentious and sordid part of the whole affair. Equifax has also set-up a website to help customers who want to know if they were affected. The first version of the site required customers to agree to not sue or take part in a class action lawsuit against the company. If they did this they also agree to mandatory and binding arbitration.
As reported on Extreme Tech: “If you follow-up with Equifax to claim your identity protection offer, you will create an account and that means you’ll be subject to these terms of service.”
A change of tone
After the outcry over the arbitration clause, Equifax backtracked. It has now altered the front page of the site to say: “We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action.
“We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.”
While this is good news for this incident it does raise questions over why customers should waive their rights in the first place. As the coverage by Extreme Tech says: “..the Supreme Court has upheld the legality of these mandatory arbitration clauses in multiple cases, including one earlier this year.”
What is interesting is that most of the Supreme Court cases focus on employees rather than customers. However an article on Jones Day deals with the case of DirecTV, Inv v Imburgia. In that case the Supreme Court decided that such clauses were in line with the Federal Arbitration Act. As such it overruled the previous position that arbitration clauses would only be allowed if State Law permitted them.
What does this mean
Equifax’s behaviour mirrors the confusion of other large companies when hit by a major data breach. They go through a sequences of phases – denial, damage limitation, looking for every get out clause they can, issuing confusing and/or conflicting statements – before finally getting to grips with the problem. The lessons of Target (USA) and TalkTalk (UK) seem to be ignored by too many boards.
Part of the problem is that while the C-Suite begins to understand the challenges of cybersecurity its members are not addressing Incident Response planning. A recent report from KPMG showed that FTSE 350 companies in the UK were skimping on Incident Response training.
The prime difficulty is the belief that the response to a data breach is a technical one. It is not. There are significant legal and regulatory requirements which require satisfaction. There is also the not so small matter of dealing with the press, social media and an organisation’s reputation.
Social media has been scathing about the actions of Equifax. The change in tone over the arbitration clause came after some high profile politicians commented on social media. They are not the only ones who are taking Equifax and its board to task. It will take time before the impact on Equifax is fully understood.
Equifax is currently the second most used service by banks, credit card companies and other organisations that do credit checks. It will be interesting to see if, in a year, that is still the case.
