Credit monitoring giant Equifax confirms it has suffered a mahoosive data breach, but that’s only where things start getting screwed…
In a statement Equifax makes a point of highlighting that there is “no evidence of unauthorized access to core consumer or commercial credit reporting databases,” yet admits that, “criminals exploited a U.S. website application vulnerability to gain access to certain files.” Files that could potentially impact 143 million customers in the US.
But wait, it gets worse. Much worse. It been revealed that three Equifax executives sold nearly $2m of stock just days after the discovery of the breach, but weeks before it was disclosed to the public. Of course, apparently they had no idea about the breach at the time and it was just pure coincidence. Sounds like MRDA to me, truth be told.
That’s not even the worse of the ‘much worse’ bit though. Are you ready for this? If, like many Equifax users, you headed to the site set up by the company to assist users to establish if their data was amongst that compromised, then you will have got more than you expected. Legal language originally used within the terms and conditions disclaimer of that site meant that users would be waiving their right to take class action against the company. Yep, you read that right. Equifax has responded to the emerging category five shitstorm, by removing the clause and insisting that the “arbitration clause and class action waiver… does not apply to this cybersecurity incident.”
All of the above can be summed up as too little too late. As evidence of a major enterprise being totally unprepared in terms of incident response planning.
To be blunt, in reputational terms, Equifax has been welly and truly Equifucked.
Loving the Equifucked description, it’s a perfect fit. Everything that could go wrong has gone wrong here. I teach security hygiene as part of a business consultancy, and will be using Equifax as my example of choice to demonstrate how not to respond to a major incident.
As I say in my analysis, I think that the apparent lack of a meaningful incident response plan (or maybe a lack of putting it into action properly) is the main story here. If we are to accept that breaches will occur, then how organisations respond to those breaches will be the differentiator between survival and ruin…
Good piece, ruined by unnecessary use of foul language!
Naturally I agree that it is a good piece, but will take issue with your use of the word ‘unnecessary’ in that feedback. What is unnecessary was the bad practice that led to this breach, the poor patch management, the lack of a meaningful incident response policy, the clause in the terms and conditions when users looked to see if their accounts had been hacked. All of that, all of it unnecessary. Words are just words, and strong ones are sometimes appropriate when the screwup being described is so huge.