Will Anybody Learn From the Equifax Debacle?

Clown

By: R. Scott Raynovich

The cybersecurity crisis of the year continues. Equifax, which last week announced a data breach that has potentially affected as many as 143 million consumers, still has very few answers about what's happened and what's going on -- and continues to bungle the response as its share price craters. 

Equifax holds sensitive records including social security numbers, credit card information, and drivers license numbers. The data breach occurred between mid-May and July 29. Initially credit card records for 209,000 people were exposed, as was "personal identifying information" on roughly 182,000 customers involved in credit report disputes.

So far, the company's response has been comical. It continues to refer consumers to a weird, phishing-like URL, https://www.equifaxsecurity2017.com/... (which we shall not link to), which is functioning sporadically. There, the company asks consumers to enroll in its own data security site, TrustedID (one year free! gee, thanks), which ZDnet found somewhat useless in determining risk -- with the site identifying randomly generated data as compromised information. The image below shows the message posted on the Equifax home page. 

Equifaxsite

To make it worse, the company caused a legal stir by including arbitration language in the new security information site's Terms of Service, suggesting that users who signed up for the service couldn't sue the company. It was later forced to change the language after public outcry.

Then there's the wisdom of pointing consumers to the company's own security service. As my wife put it, "They lost all your information and now they want to send you to one of their sites to collect more information?" 

But that's just the beginning. There are so many other questions:

  • How exactly did the hack occur? Very little information has been forthcoming, though some have speculated it was engineered through loopholes in outdated web applications platforms. Futuriom has put in an information request to Equifax, but has so far not heard back. 
  • Where and how is Equifax data encrypted? My fear is that the company does not have high data encryption standards. So far, the company has said nothing. This was also part of Futuriom's request for information. 
  • Where is the senior Equifax technology team on this? They should be front and center -- though they are nowhere to be found. It could be that the cybersecurity chief was brand new -- as the company had recently posted a job req for a VP of cybersecurity.

The company has now lost more than 20 percent of its value since the news broke. So far, the company hasn't done much to repair its reputation. Maybe it's true that the company is composed of DNA that has made it "hated for more than a century," according to Fast Company magazine.

What would you do? If you are a CEO, top technology executive, or board member, cybersecurity should be on top of your list of things to fix. There have been massive hacks at Anthem Healthcare, Target, JP Morgan Chase, and the Internal Revenue Service, among others, that have compromised millions of of personal data records. If the red flags weren't already up -- more have been raised. Companies with sensitive consumer data should be completely overhauling their security plans, and consumers should be paying attention to what they are doing. 

I'm afraid not enough is happening. As we found in our investigation into security practices in the Futuriom SysSecOps (Systems and Security Operations) report, many large organizations do not have a coordinated system for handling security systems and responding quickly, leading to disasters like Equifax. As a reminder, 10 percent of the professionals in the Futuriom SysSecOps survey, which targeted technology managers as well as senior executives, said that their security strategy was "a disaster." 

The Equifax disaster already ranks in the top three cybersecurity crises of all time -- and it's possibly number one in terms of a crisis of confidence. Hopefully this leads to a more careful examination of personal identity and security practices.