Five Major Mistakes Made by Equifax After the Security Breach

If you are an adult living in the United States, chances are you know about the Equifax data breach. The breach happened when some hackers exploited a flaw on Equifax’s Web site to gain access to confidential files. According to Equifax the security hack took place between May and July 2017. After the credit reporting company announced on September 7, 2017 that personal information of 143 million people in its possession was exposed in a data breach, it has faced several lawsuits from consumers, shareholders, financial institutions, and states. San Francisco has been the first city in United States to file a lawsuit against Equifax. Out of the 143 million people, 15 million people affected by the hack are Californians. Dennis Herrera, San Francisco’s city attorney, filed the lawsuit on behalf of his city and is seeking $2,500 for each violation.

“Equifax’s incompetence would be comical if the subject matter weren’t so serious,” Herrera said in the statement. “This company fell asleep at the switch and upended the lives of millions of people. The information that Equifax failed to safeguard is what people need to open a bank account, buy a home or rent an apartment. Now Californians have been put at risk of identity theft for years to come.” (TechCrunch, 2017)

There are multiple investigations underway both at the state and federal level, including those from the Department of Justice and the Federal Trade Commission. After the security breach, Equifax Chief Executive Officer (CEO) and Chairman Richard Smith retired. According to Fortune, “The CEO of Equifax is retiring from the credit reporting bureau with a pay day worth as much as $90 million—or roughly 63 cents for every customer whose data was potentially exposed in its recent security breach.”

After the CEO retirement, the Chief Security Officer (CSO) and the Chief Information Officer (CIO) also announced their retirements. Three Equifax executives (one of them was the CFO) sold almost $2 million worth of shares right after the company found out about the breach.

Here are some of the facts related to the Equifax hack, as reported by CNN Money.

• Equifax handles data of 820 million people and more than 91 million businesses around the world.
• The data breach exposed names, addresses, birth dates, driver license numbers, and even Social Security numbers of people in the United States.
• Equifax only gathers and sells our data, we are not its customers.
• Equifax can’t tell you with certainty if your information was hacked.
• Equifax will send email notification to 209,000 people whose credit cards were exposed.

What Do Equifax and Premera Blue Cross Have in Common?

Equifax is a credit reporting company and Premera Blue Cross is a health insurance company, but they both seem to have one thing in common. In 2015, Premera failed to protect personally identifiable information of its customers, despite plenty of warning from the FBI and the U.S. Office of Personnel Management, as reported by The Seattle Times in the story Feds warned Premera about security flaws before breach. Premera hack exposed 11 million records of its customers, which included Social Security numbers, medical records, birth dates, bank information, addresses, phone numbers, email addresses, and employment information. After the hack, Premera kept the cybercrime secret from its customers for six weeks, which allowed the hackers to steal even more data (ClassAction.org, 2017).

Equifax did the exact same thing. First it failed to protect personally identifiable information (of 143 million people) and then it kept the hack secret from the public for six weeks. Equifax discovered the security breach on July 29 and could have notified the public so the consumers could have taken security measures to protect their credit information and identity. However, it opted to hide the hack from the public until September 7, 2017.

Five Major Mistakes Made by Equifax

No matter how big or small the cybersecurity hack, there are always lessons that organizations can learn from such incidents. In my opinion, Equifax made five major mistakes after the security hack. Hopefully other businesses can learn from these mistakes.

Mistake #1

Equifax failed to protect personally identifiable information of 143 million people, the effects of which can be devastating.

Mistake #2

It intentionally kept the date breach secret for 6 weeks to further put the consumers identity and personal information at risk.

Mistake #3

It offered consumers a free credit monitoring service for a year, but in the fine print made the consumers agree to give up their rights to sue Equifax if they signed up for free credit monitoring. It’s like a bank robber robbing a bank and then telling the bank “I will make you a deal. I will promise not to rob you again if you agree that you won’t sue me for this bank robbery.” Luckily, under intense public pressure Equifax removed that clause.

Mistake #4

Equifax’s response to the security breach was a perfect example of what not to do when your company is hacked. TechCrunch summed it up this way, “Following the report, the company came under fire for its response, which was both lackadaisical and callous. The website that the company set up to assist consumers was at best broken and at worst, a scam. Phone calls to the company followed the same trend, and, since then, Congress is reportedly looking into the issue.”

Mistake #5

Equifax decided to make money off of consumers who were the victims of the Equifax security breach by charging them for a credit freeze. Luckily, under intense public pressure Equifax changed its policy and decided to waive all fees until November 1, 2017 (New York Times, 2017).

I am hoping that the credit bureaus (i.e. the three major credit reporting companies) in the United States will offer free credit monitoring services for life to all the consumers. They should also offer free credit freeze and thaws to all consumers. These measures are not only good for the consumers, they will also be helpful to the credit bureaus. If consumers already had these protections in place, the reaction to Equifax security breach would have been less intense because the impact on consumers would have been less severe.

And finally, I think it’s unwise for a corporation to use a public relations nightmare as an opportunity to make money off of the victims. Just sayin’!

Copyright © 2017 SeattlePro Enterprises, LLC. All rights reserved.