On September 07, 2017, Equifax—one of the “big three” credit reporting agencies—shared a quiet investor relations document with information about a security breach that began in May, 2017 and was not discovered until late July:
[Criminals accessed] names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. [They] also accessed credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.
It took Equifax another 40 days to let people know outside the company.
The response from Equifax has been “corporately cautious” with little consideration for the effect on people. Ironically, the company is offering “complimentary identity theft protection and credit file monitoring.” If you do sign up, you are also agreeing to the small print that signs away your right to be part of a future class action lawsuit.
Helping consumers understand the impact of the breach was handled so poorly that according to Ars Technica, Open DNS initially warned visitors that Equifax’s website about the breach might be a phishing scam:
[T]he website … runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.
Many of these issues have been corrected since the release of the website, but it stands to reason that a company would want to secure the website they’re using to rebuild trust with their customers. News about executives within the company also doesn’t bolster their appearance.
According to company spokesperson, Ines Gutzmer, when Equifax executives, including the CFO, unloaded up to 13% of their shares before the breach, they “had no knowledge that an intrusion had occurred.” This comes reported by Anders Melin on Bloomberg. Whether these executives knew of the intrusion, it feels that people in a power come out ahead in any circumstance: win or lose. The people who trust Equifax to hold their data securely are the ones that lose.
Chris Drake, the Founder of the security firm Armor, reminds us who suffers most from a security breach:
Regardless of emerging details, one thing is certain: big companies will continue to be the ones that make headlines when breaches occur, but the millions of people affected will ultimately suffer the most as their information is potentially traded or sold on the Dark Web.
Companies like Equifax can take this as a calling to make the people who use their services a priority, because it’s clearly not happening. Their investor relations document went on to assure investors that, “We … expect to increase our capital spending in an effort to further accelerate IT infrastructure, systems and data security and resiliency improvement actions.”
Zero Hedge, an investment website, responded cheekily:
Oh, good, because a hack involving 143 million SSNs is one of those cases where capex probably should have taken precedence over stock buybacks. Don’t worry though, because as it explains in the same quesionnaire [sic], “Equifax remains committed to delivering on the long-term financial model of 7-10% revenue growth and 11%- 14% growth in Adjusted EPS on average over a business cycle. Equifax’s long term financial model reflects our continuing fundamental ability to utilize our unique and differentiated data assets and leading analytical capability to deliver high value products and services to our customers.”
Uhm, after this… what customers?
It’s more honest than I can write. We’re getting an idea of the truth, but how can we make this better? Our friends at Adaptable Security are working to combat unethical business practices by making privacy and security transparent, one company at a time. They help people understand which companies can be trusted with their personal information.
I spotted a call for papers on ethics in business as this story broke. We know it’s a problem, we know it needs to be addressed. Now, let’s get out there and do something about it.