Learning from the Equifax debacle

The issue of cybersecurity is a topic I have touched on several times in this blog. As a PR practitioner, it is a topic I believe every client should be vested in. In the past year cyberattacks in various forms have become a mainstream concern as everyone from political parties, global law firms and even entertainment providers find themselves directly affected.

But the recent cyberattack on credit monitoring firm Equifax has elevated security concerns to a whole new level. And in some quarters, the attack is considered a watershed moment in how we think about and deal with cybersecurity at large.

To briefly recap, earlier this month Equifax reported a massive data breach, saying hackers may have accessed the personal details (including names and Social Security numbers) of more than 143 million consumers from mid-May to July 2017. In addition, credit card numbers for more than 200,000 people and certain documents for another 182,000 were also accessed.

From a PR perspective, that revelation alone is enough to send any company into crisis mode. But when you are a credit monitoring agency – in effect the very organization responsible for safeguarding consumers’ credit history and other data – the potential for negative fallout is enormous.

One would assume that a company in this line of business would be prepared for such an eventuality, particularly given the growing prevalence of attacks. But in the case of Equifax, it appears they company was not only spectacularly unprepared, but its internal standards of security and strategic response were lax at best, and perhaps negligent.

Let’s consider some of the missteps the company took:

  • Equifax became aware of the breach at the end of July, but then took several weeks to disclose it.

  • The company directed victims to a separate domain – equifaxsecurity2017.com – for further information, rather than adding a dedicated page on its existing, trusted website. The newly  created site was quickly discovered to contain bugs, which is hardly reassuring, especially considering the fact that Equifax was asking people to submit the last six digits of their Social Security number as a way of checking whether their information had been potentially compromised in the breach.

  • The company’s approved Twitter channel tweeted the wrong website link multiple times, directing consumers to a phishing link rather the actual breach response page.

  • The attackers got into Equifax's systems through a known vulnerability with an available patch

  • The company acknowledged that it knew about the patch when it was first released, and had actually attempted to apply it to all its systems

  • According to a Wall Street Journal article, there is evidence to suggest that there was an earlier breach in March, likely pulled off by the same attackers

equifax2.jpg

We could also point to the fact that Equifax executives sold off $2 million in company stock in August, just prior announcing the breach being. There was also the company’s clunky attempt to surreptitiously include an arbitration clause in its offer of free credit monitoring to victims…but at this point I think you get the picture.

If this was any other company, I would consider the response we’ve outlined here both inept and inadequate, but unfortunately not an isolated example. However, given we are talking about Equifax, a company whose sole purpose is to gather, safeguard and verify the most crucial and valuable personally identifiable information of American consumers, its response has been abysmal.

Whether this incident proves a tipping point in terms of cybersecurity remains to be seen, but early signs point to potential legal or regulatory changes ahead. A number of class action suits have already been filed, and both Republican and Democratic members of the Senate Banking Committee are citing the breach as a reason for requiring closer scrutiny of data security measures at credit bureaus.

Now more than ever, companies of all sizes must take heed. It is imperative that they place a premium on security, ensuring that the best and most effective protocols are in place to minimize the threat of attack. They must also come to terms with very real possibility that – in spite of extraordinary precautions and robust security spending – a data breach is likely to occur at their organization at some point in time. When that happens, a thorough, thoughtful incident response plan must be ready, and communications must be a core component of that plan. How are you going to respond to different attack scenarios? When will you report a breach? When and under what circumstances will you go public? What are you going to say? Who are you going to say it to? Who is going to say it?

Don’t wait until you are knee-deep in water to call a plumber; prioritize your cybersecurity response plan today.