Whilst it might be nice to focus on the new Apple iPhone released last week, it can pretty much be summarised by the word ‘meh’. So the focus is instead on the Equifax data breach and the impact it could have on the world.
Did Equifax really think it could hide behind the total number of people affected being smaller than other recent data breaches?
Sometimes the top-line numbers can obscure the real story and so was the case with the Equifax data breach, which affected 143m Americans and around 400,000 Brits. Initially, it felt like the story was downplayed because of other much larger data breaches involving 700m people globally. But there is a huge difference here and it shouldn’t have been a surprise that this erupted into a major failure for Equifax.
No data breach involving personal data is minor as it can lead to attempts to use the data to gain further personal information. In the case of Equifax, the amount of data on each individual was much bigger and included names, addresses, phone numbers, credit card numbers, birth dates and social security numbers. This is the type of data used to authenticate people at banks and do not change over time and are not protected for fraud as credit card numbers are.
Luckily for the 400,000 Brits, it seems to be a much smaller footprint but still includes names, date of birth, email addresses.
The response from Equifax has been a textbook failure.
Equifax knew about this breach since July and took 40 days to disclose. The breach itself happened in May.
GDPR – the European regulations coming in May 2018 and also being adopted in the UK will require you to disclose a breach to authorities within 72 hours.
Luckily for Equifax, GDPR is not active yet, though current laws still require them to notify the Information Commissioner’s Office (ICO) within 24 hours of knowing the essential details. The penalties under GDPR are also very different – up to €20m or 4% of global turnover. Today they are limited to £500,000.
I am sure the UK and European regulatory bodies will be paying close attention to this breach beyond just the delay to notify as it seemed like there was a further delay to publicly notifying people internationally.
Even today there is no site available to confirm if you are affected in the UK. Their disclosure is also unclear as they are stating that UK systems were unaffected and UK data was held on US servers between 2011 and 2016.
Given the breach happened in 2017 and UK data was affected – that would imply data was held beyond 2016 but maybe I am missing something.
Whilst in the US, you are required to go to a website to find out if you are affected, Equifax is writing to affected customers in the UK. How they will contact people who have changed addresses over the time-frame mentioned is anyone’s guess.
Both options should have been available to all affected customers.
A simple failure
Staying on top of security patches is requirement number one for all companies not just a data company like Equifax but the breach was caused by a security flaw patched two months before.
There may have been some mitigating factors around this delay as the flaw required web apps to be rebuilt and tested. If the apps were old this may have taken longer to fix but it is not clear whether this was the case or not as communication around this aspect has been poor.
Public Relations fail
Given the delay to notifying people, you would think that they had time to figure out the best approach to communicating the failure but from the start it has felt like they were on the back foot and not in control. Surely they needed to show people that they understood the scale of this breach and that they were doing everything they could to safeguard their customers.
Instead of projecting care for their customers, the message that Equifax was poor in regards to its data security approach and might even make money out of this became the message.
The way the organisation is structured is likely to be one factor but it also seems to be a lack of preparation and organisation for this scenario.
It took the CEO five days to say anything about it publicly.
The typical response of companies who experience a data breach is to provide one year of free credit monitoring. Equifax’s standard terms includes a clause which prevents you from suing them if you use their credit monitoring offering.
They eventually confirmed this will not be the case. Regardless, the level of breach means that one year of credit monitoring is unlikely to be sufficient.
The site itself even had a common security flaw, which allowed hackers to siphon off the personal information of visitors.
One other option is for users to freeze their credit, but Equifax continued to charge for this before eventually saying it will waive fees for 30 days.
This may have just been a poorly thought through commercial decision, but those that did freeze their credit then found that Equifax were using easily guessable pin numbers. Eventually this got fixed as well.
The security issues didn’t stop there as it was discovered that Equifax Argentina’s employee portal could be accessed with a username and password of ‘admin’.
All of this suggests poor security processes being in place.
One of their customer service team tweeted “Happy Friday..” on an Equifax social media account, which unsurprisingly resulted in mass derision and had to be quickly deleted.
Finally, if statements from Equifax are to be believed, even the CFO, along with two other senior members of the team, were unaware of the breach as all three proceeded to sell nearly $2m worth of Equifax shares in the days after it was identified.
The fall out
The chief security officer and chief information officer have both resigned and the stock price has fallen 35%.
So far the FTC and SEC in the US have announced investigations, whilst the ICO has remained quiet other than demanding Equifax notify customer affected. I suspect there will also be class action suits in the US.
The bigger questions though are around dealing with how long it took for Equifax to notify people and why US and international citizens were not treated equally.
Hasty and reactive laws are never a good thing, but I suspect this breach could lead to a closer look in the US at how responsibilities for protecting people’s data are defined and penalties applied.
Someone I suspect will also be looking at the UK data held in the US and whether it was even allowed to be there in the first place.
This in turn could lead to a closer look at the current Privacy Shield framework which is designed to protect UK and European data held in the US. Whilst an improvement on the previous Safe Harbour agreement, which collapsed under a court case, some thought the current framework could also collapse in the same way. Could this be the trigger?