I awoke here in Australia yesterday morning to news of yet another major data breach. Until that time, I didn’t know who Equifax was; I knew who their competitor Experian was as they’ve been down the data breach path before, but Equifax was all new. And the breach was 10 times larger. And a bunch more stuff was going wrong…
The first thing that struck me was the timing. Listening to the CEO’s video, I heard him talk about learning of the incident in late July, a full 6 weeks before their public announcement. I’ve not heard a rationale for the long lead time, but I can bet it involves the words “ongoing investigation” and a justification around these things taking time to handle properly. Meanwhile, someone else is holding onto a very large chuck of their customers’ data without the victims knowing a thing about it.
From there, it just felt like an avalanche of bad mistakes due to poor judgement; the dodgy looking equifaxsecurity2017.com domain with the announcement (why not a subdomain of equifax.com?), the news of managers selling stock after Equifax learned of the breach, the dodgy wording of the terms should you use their free search service to check your breach exposure and to top it all off, the unreliable results returned by the tool for those who did indeed use it. As if the breach itself wasn’t bad enough, Equifax has now dug themselves into another big hole – people don’t trust them.
Now you may say “well, people won’t trust them anyway after they lost 143 million records” and certainly that was always going to be a major problem, but it’s one they can overcome. Adobe has overcome it. LinkedIn has overcome it. Crikey, even Ashley Madison has overcome it! But they all did so by demonstrating to consumers that even after a seriously nasty incident, they could still be trusted.
Equifax clearly hasn’t thought this through very well. Take the managers dumping stock and assume for a moment that the timing was merely coincidental; it’s a very bad look. Surely after the initial discovery someone should have said “hey, we probably should ask senior leadership not to sell off chunks of their interest in the company”. As much as they might say that wasn’t feasible due to the “ongoing investigation”, if they hadn’t had waited so long in the first place then the window in which this could have happened would have been dramatically reduced. Public perception is enormously important here and it’s the same again with those terms; they’ve since been clarified but regardless of their original intent, it only takes one glance at them to realise that they really don’t look good…
Here’s the lesson for everyone else who is yet to disclose all the breaches that are still to come: after an incident like this, everyone wants to pile blame on the company involved. They’ll look for any little excuse to vent their anger because they’re quite rightly upset about the whole thing. How Equifax managed to provide so much fuel to fiery customers when they took 6 weeks to work out how to handle this is completely beyond me.
