Normally, when a company gets hacked, they're entitled to a certain amount of sympathy. Advanced malware is difficult to defend against, and the best that companies can do is sometimes not enough.
Equifax, on the other hand, has decided that the aftermath of a devastating cyberattack is the best time to act like a morally-compromised bully. Reacting to the loss of personally identifying information (PII) for over 140 million Americans, their response has been entirely inadequate.
No matter how sorry people feel for a company post-breach, some of them are still going to try to sue them. Seen from that light, it's understandable to take precautions that would minimize liability. There's a difference between self-protection and actively immiserating other parties that may have been harmed in a breach, however. Here are the many ways in which Equifax has defied good incident response practice — and one way in which they could have saved themselves all the bad press.
Delay, Delay, Delay
Literally the first step in unveiling the Equifax breach represented a major incident response faux pas. The breach was detected on July 29th, but only announced on September 7th — representing a six-week delay in notifications. Although delays like this aren't illegal in the US, they're certainly unethical, and their days of legality may be numbered.
Every day that a company fails to announce a data breach is a day that cybercriminals can sell their stolen data without fear of scrutiny, and an extra day that customers are left undefended. Customers can't start credit monitoring, freeze their credit scores, or take other protective measures unless they've been notified.
The small silver lining is that next year, when the EU's GDPR takes effect, it will be illegal to wait more than 72 hours before announcing a breach. Since Equifax has European customers — some 400,000 of whom may be affected — it won't be able to hide a breach of this magnitude again.
One of the most common ways for companies to help their customers in the event of a data breach is to offer two things — a dedicated customer support hotline, plus free credit monitoring. Equifax did comply with standard practice by setting up these services, but it also managed to anger customers with a legally dubious breach response.
Language was hidden in the fine print of the credit monitoring agreement, stating that customers who agreed to credit monitoring waived the right to sue Equifax. Customers were unhappy, and prosecutors were livid, mounting an immediate challenge in court. If the language had the intent of slowing class-action lawsuits down, incidentally, it had the exact opposite effect — 23 class action lawsuits are now underway.
Mixing Information Security Failures with Corporate Malfeasance
Immediately following the disclosures of the Equifax breach, much was made of the fact that two management officials sold $2 million worth of stock in early August, shortly after the breach occurred. While Equifax protested that the officials in question had no way of knowing about the data breach, the optics could not have been worth — and now the Justice Department is involved.
With its share price depressed by 35%, two executives under investigation, and another two — Equifax's CIO and CISO — recently ousted, it's hard to imagine how things could get worse for the financial giant, especially considering how avoidable this debacle was.
Equifax Could Have Avoided a Massive Breach with Secure Data Access Technology
All we know about the Equifax breach so far is that the company claims it is due to a vulnerability in a web server. While that's astonishingly sparse information for a data breach of this magnitude, it's enough for us to make this determination: Safe-T would have prevented this breach from happening.
By default, Safe-T Secure Data Access technology prevents applications and databases from directly accessing the network, and authenticates all users who attempt to read them. By funneling all users into strict channels when they attempt to access critical data, Safe-T makes it easy to monitor data usage and alert administrators to potential records breaches. One simple message could have shut down the Equifax data breach the moment it started.
Don't let your company be the next to grace headlines next to the words "historic data breach." Contact Safe-T today and learn how we can start protecting your sensitive data now.