Don’t use the Equifax example: How you SHOULD communicate a data breach
Another day, another data breach and yet another apology.
After hackers stole private data of Equifax’s 143 million customers (including data from 400,000 UK residents), their new CEO Paulino do Rego Barros Jr, wrote an open letter that was published by the Wall Street Journal on 27 September.
“On behalf of Equifax, I want to express my sincere and total apology to every consumer affected by our recent data breach. We didn’t live up to expectations…We were hacked. That’s the simple fact. But we compounded the problem with insufficient support for consumers. Our website did not function as it should have, and our call center couldn’t manage the volume of calls we received.”
Even though a patch was available in March 2017, Equifax did not update the software vulnerability (Apache Struts CVE-2017-5638) for more than two months. As a result, criminals had plenty of time to gain access to consumer information from Equifax files. The vulnerability was finally discovered on 29 July 2017. Equifax then took five weeks to publicly announce the cyberattack.
Things didn’t improve after they announced the data breach. The Equifax response was unprepared, confused and uncoordinated. Some of their blunders included:
- Insufficient and underprepared operators at the call centres, leaving alarmed customers facing delays and Equifax agents who couldn’t answer questions. Calls weren’t answered or disconnected randomly. Those who finally were connected were told by outsourced call centre agents to visit the website. When customers visited the website to see if their data had been compromised they were asked to sign up for 12 month’s worth of the company’s TrustID Premier service, for identity theft protection and free credit monitoring.
- Equifax posted information about the breach at equifaxsecurity2017.com instead of its trusted domain equifax.com, completely confusing some consumers. This wasn’t helped by an Equifax representative on Twitter directing customers to visit a fake version of the site—securityequifax2017.com. Luckily, the site had been created by a security researcher rather than a phishing criminal.
- As Zack Whittaker reported, the site used by Equifax to set up credit account monitoring in the wake of the security breach was also vulnerable to hackers. The site was vulnerable to a cross-site scripting (XSS) attack, which lets an attacker run malicious code on a legitimate website or web application. This could enable a hacker into tricking a user into loading the site from a malicious link, which asks for the consumer’s personal information.
- A leak emerged that three senior executives (including the company’s chief financial officer) sold $1.8 million in shares within three days of the company learning about the breach on 29 July. In response to questions about whether the stock sales violated insider trading laws, Equifax said the executives did not know about the breach when making their sales, which were not prearranged.
- As Brian Krebs reported on 17 September, an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country protected by perhaps the most feeble password combination ever – “admin/admin.”
- Mark Stockley reported that due to Equifax’s insecure PIN choosing technique Equifax was advising consumers to freeze their Equifax credit files, but the frozen credit files were not as protected as they should be and were still at risk.
Was data from Equifax customers in the UK at risk?
After days of stonewalling customer queries, Equifax finally made a statement to their UK customers. They reported that as part of their investigation a process failure, corrected in 2016, led to a limited amount of UK data being stored in the US between 2011 and 2016. This means that they will need to to contact 400,000 affected UK consumers.
So how SHOULD you communicate to your customers if you are hit by a cyberattack?
- Ensure your response is empathic.
The Equifax response was tepid and emotionally disconnected. Sincere empathy and humility is key to surviving a data breach without your reputation going up in smoke. Ensure that whatever response is prepared has your victims at the very top of the plan – demonstrate that you understand the issues facing those at risk from the breach and can empathise with their concerns and anxieties.
- Apologize to your consumers and clients.
Taking a little time before publicly announcing a breach may be necessary to ensure that you have all the information available. Ensure your plan is complete and work out exactly what you are going to offer. Then apologise wholeheartedly and profoundly. Don’t use the Equifax response of “We’re disappointed”. It wasn’t good enough.
- Plan a specific response.
Make a water tight remediation plan that has a real fix to remedy the situation. Take immediate steps to identify the scale and scope of the crisis, then communicate it to regulators and consumers. Don’t rely on Twitter to communicate your plans – instead provide consumers and clients with an on-line hub with a step by step description of what they need to do.
- Take note of past disasters and learn from them.
Many companies, from Target to Sony, have handled data breaches poorly. So get your information out to your customers properly and establish a one stop online hub with complete information on steps consumers could take to protect themselves. A good crisis manager will assess what comparable companies have done wrong, and done right, in similar circumstances. If you don’t have one, start doing your own research.
- Preparation is key.
Data breaches are inevitable and even predictable. In 2018 all companies should be prepared for a data breach especially those that keep sensitive consumer data on hand. That means establishing a crisis team and drafting a plan long before crisis strikes.
If you’re running a business, crises are inevitable. It’s how you handle them that will determine whether you’ll move on relatively unscathed—or whether you’ll lose customers and your reputation and may even be forced out of business altogether.