Another day, another data breach and yet another apology.
After hackers stole private data of Equifaxโs 143 million customers (including data from 400,000 UK residents), their new CEO Paulino do Rego Barros Jr, wrote an open letter that was published by the Wall Street Journal on 27ย September.
“On behalf ofย Equifax,ย I want to express my sincere and total apology to every consumer affected by our recent data breach. We didnโt live up to expectationsโฆWe were hacked. Thatโs the simple fact. But we compounded the problem with insufficient support for consumers. Our website did not function as it should have, and our call center couldnโt manage the volume of calls we received.”
What happened?
Even though a patch was available in March 2017, Equifax did not update the software vulnerability (Apache Struts CVE-2017-5638)ย for more than two months. ย As a result, criminals had plenty of time to gain access to consumer information from Equifax files.ย The vulnerability was finally discovered on 29ย July 2017. Equifax then took five weeks to publicly announce the cyberattack.
Things didnโt improve after they announced the data breach. The Equifax response was unprepared, confused and uncoordinated. Some of their blunders included:
- Insufficient and underprepared operators at the call centres, leaving alarmed customers facing delays and Equifax agents who couldnโt answer questions. Calls weren't answered or disconnected randomly. Those who finally were connected were told by outsourced call centre agents to visit the website. When customers visited the website to see if their data had been compromised they were asked to sign up for 12 month's worth of the company's TrustID Premier service, for identity theft protection and free credit monitoring.
- Equifax posted information about the breach at equifaxsecurity2017.com instead of its trusted domain equifax.com, completely confusing some consumers. This wasnโt helped by an Equifax representative on Twitter directing customers toย visit a fake versionย of theย siteโsecurityequifax2017.com. Luckily, the site had been created by a security researcher rather than a phishing criminal.
- As Zack Whittaker reported, the site used by Equifax to set up credit account monitoring in the wake of the security breach was also vulnerable to hackers. The site was vulnerable to a cross-site scripting (XSS) attack, which lets an attacker run malicious code on a legitimate website or web application. This could enable a hacker into tricking a user into loading the site from a malicious link, which asks for the consumer's personal information.
- A leak emerged that three senior executives (including the companyโs chief financial officer) sold $1.8 million in shares within three days of the company learning about the breach on 29 July. In response to questions about whether the stock sales violated insider trading laws, Equifax said the executives did not know about the breach when making their sales, which were not prearranged.
- As Brian Krebs reported on 17ย September, an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country protected by perhaps the most feeble password combination ever – โadmin/admin.โ
- Mark Stockley reported that due to Equifaxโs insecure PIN choosing technique Equifax was advising consumers to freeze their Equifax credit files, but the frozen credit files were not as protected as they should be and were still at risk.
Was data from Equifax customers in the UK at risk?
After days of stonewalling customer queries, Equifax finally made a statement to their UK customers. They reported that as part of their investigation a process failure, corrected in 2016, led to a limited amount of UK data being stored in the US between 2011 and 2016. This means that they will need to to contact 400,000 affected UK consumers.
So how SHOULD you communicate to your customers if you are hit by a cyberattack?
- Ensure your response is empathic.
The Equifax response was tepid and emotionally disconnected.ย Sincere empathy and humility is key to surviving a data breach without your reputation going up in smoke. Ensure that whatever response is prepared has your victims at the very top of the plan โ demonstrate that you understand the issues facing those at risk from the breach and can empathise with their concerns and anxieties.
- Apologize to your consumers and clients.
Taking a little time before publicly announcing a breach may be necessary to ensure that you have all the information available. Ensure your plan is complete and work out exactly what you are going to offer. Then apologise wholeheartedly and profoundly. Donโt use the Equifax response of โWeโre disappointedโ. It wasnโt good enough.
- Plan a specific response.
Make a water tight remediation plan that has a real fix to remedy the situation. Take immediate steps to identify the scale and scope of the crisis, then communicate it to regulators and consumers. Donโt rely on Twitter to communicate your plans โ instead provide consumers and clients with an on-line hub with a step by step description of what they need to do.
- Take note of past disasters and learn from them.
Many companies, from Target to Sony, have handled data breaches poorly. So get your information out to your customers properly and establish a one stop online hub with complete information on steps consumers could take to protect themselves. A good crisis manager will assess what comparable companies have done wrong, and done right, in similar circumstances. If you donโt have one, start doing your own research.
- Preparation is key.
Data breaches are inevitable and even predictable. In 2018 all companies should be prepared for a data breach especially those that keep sensitive consumer data on hand. That means establishing a crisis team and drafting a plan long before crisis strikes.
If youโre running a business, crises are inevitable. Itโs how you handle them that will determine whether youโll move on relatively unscathedโor whether youโll lose customers and your reputation and may even be forced out of business altogether. ย