The Equifax board must be wondering if there is ever going to be light at the end of the tunnel. Every day seems to bring more bad news rather than good news. A week ago it parted company with its CEO, Richard Smith. He has decided to retire and will hope to stay out of the continued storm around the company. Sadly, his own lacklustre response to the data breach has contributed to the mess.
A rambling performance in front of legislators
Appearing before the House Committee on Energy and Commerce yesterday, Smith opened with an apology. Despite failing to patch a vulnerability in the Apache Struts software it used, Smith maintained the company did everything it was supposed to. Looking to place the blame elsewhere, Smith chose to blame it on a faulty scanner that failed to detect the vulnerability in March. He also put the blame on an unnamed member of staff who failed to apply patches properly.
In a statement that will shock many large organisations, Smith admitted that Equifax only has one person responsible for patching its software. In and of itself that is a failure of reasonable governance practice. It leaves no room for error and as we now know, that error led to the data breach.
Watching the hearing was painful. Smith avoided many of the questions asked of him. His primary focus seemed to be on promoting the free tools the company has released. This led to some scathing comments from members of the committee.
Smith’s performance was arguably no better and potentially even worse than that of Dido Harding, CEO, TalkTalk when that company was breached. Over several TV interviews, Harding changed the story and seemed to have little idea of what was really going on. Like Smith, Harding is no longer in charge. TalkTalk has begun to recover customers although its shares are still around 50% lower than they were at the time of its breach in 2015.
Lawsuits beginning to stack up for Equifax
Equifax has also found itself on the receiving end of what could be a business threatening lawsuit from the City of San Francisco. The City Attorney, Dennis Herrera has brought a lawsuit against the company for failing to protect the personal data of more than 15 million Californians. The lawsuit hinges on the state requirement for prompt notification to customers when a breach takes place. Equifax withheld information that Herrera alleges has left millions at risk of identity theft. In the press release announcing the lawsuit it says:
Equifax violated state law governing unlawful, unfair or fraudulent business practices by:
- failing to implement and maintain reasonable security procedures and practices
- failing to provide timely notice of the data breach to affected California consumers
- when it finally provided notice, failing to provide complete, plain and clear information
Herrera wants Equifax to compensate California consumers who had paid Equifax for credit monitoring services. He also wants civil penalties to be levied and this could end up being extensive. Finally, he wants a court order that would require Equifax to implement and maintain appropriate security measures for the data it handles.
This last demand is interesting. It requires that there is an agreement on what constitutes appropriate security measures. For any measure to be implemented, Equifax would have to disclose the measures and processes it already uses. Smith has already told the House Committee on Energy and Commerce that the company processes didn’t fail. Herrera will seek to disprove that which could heap more trouble on Smith.
San Francisco is the first city to go after Equifax. Its progress will be monitored by many other states and cities around the US. If it is successful, Equifax will find itself buried under lawsuits from around the USA.
Can Mandiant provide some temporary respite for Equifax?
On Sunday, Equifax interim CEO, Paulino do Rego Barros Jr said: “the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed.” In an attempt to recover some ground, Barros also ordered that the results be released publicly. He continued: “Our priorities are transparency and improving support for consumers. I will continue to monitor our progress on a daily basis.”
Despite this statement, there is no link on the Equifax site to the Madiant report. We have emailed the press office asking for a copy but so far there has been no response.
We do know a number of things from the report that were mentioned in the press release. These include:
- An additional 2.5 million US consumers were potentially impacted taking the number to 145.5 million
- No databases outside of the US were affected
- The number of Canadians affected has been revised down from 100,000 to just 8,000
- An unknown number of Canadians were among those whose credit card data was stolen
- Equifax is talking to UK regulators before announcing how many UK consumers were affected
- Equifax is to mail written notices to every US consumer affected by the data breach
The speed with which the forensic investigation has been completed is good news. This is a major step towards resolving the issue and will allow the company to focus on the lawsuits and other issues it now has to deal with. Smith has already blamed a single piece of software and one individual for the organisations woes. If Barros is prepared to be as transparent as his comments imply, the Mandiant report will be interesting. Any forensic investigation will have looked at the root causes of the problem and why processes failed. This information will also be of interest to Herrera and others who are planning lawsuits.
What does this mean
Having a single individual responsible for patching with no oversight or check process shows a lack of system governance. That Smith has disclosed this suggests that Equifax has already decided where it wants people to put the blame. The problem is that insurers and investors will now be asking how many other critical processes are fit for purpose. It is likely that the Herrera lawsuit will lead to a significant overhaul of these processes. That will take time and cost significant sums of money. The question is does Equifax have the time to do all this?
The implications of the Herrera lawsuit are significant. If it is successful in any form then it will lead to large numbers of copy cat lawsuits. It will be interesting to see if Equifax tries to get them all rolled up into a single class action lawsuit to limit the damage to the business.
So far nothing has been said about insurance cover for this incident. Like many organisations, Equifax will have insurance to deal with serious system outages. How quickly those insurers will pay out and their reaction to Smith’s statements and the Mandiant report is yet to be seen.
The big bonus for Equifax is that the Mandiant report is completed. The board now needs to show that it is taking everything in that report seriously and is willing to change. It needs to put in place steps to improve its security systems. The obvious candidate to do that work is Mandiant given the knowledge it now has of the organisation. All that remains to be seen is whether Equifax is willing to take on all the recommendations irrespective of cost.