Equifax: School is Back in Session
David Shrier
Managing Director, Visionary Future | CEO, Phorum.AI | Professor of Practice, Imperial College London | author
Watching the slow-motion train wreck that is the Equifax Hack, it's hard to even muster schadenfreude. Let's use this as a teachable moment: 8 Lessons in Cyber Response.
For those of you not familiar with Equifax, it’s one of the three major credit bureaus, along with Experian and TransUnion, that track and report on adverse credit events, using 1960s approaches to managing risk in the global financial system (disclosure, my new company spun out of MIT, Distilled Analytics, has tools that address several key deficiencies of the traditional credit bureau model).
But the problems aren't primarily with their business model nor even their core credit products and services. Our focus will be on their inadequate cybersecurity and incredibly poor response to a cyber breach.
First, the hack itself: 143 million consumers had critical personal information stolen from Equifax including names, social security numbers, birth dates, even driver’s license numbers in some cases.
Then, a trickle of bad news that mirrors some the other hack-related events we've seen recently, including a report emerging that senior executives, including the CFO, sold their stock after the hack was discovered by Equifax but before it was disclosed to the public. Although Equifax claims that the executives had no knowledge of the hack, these sales of millions of dollars of stock were also not part of a regular stock diversification plan.
Lesson 1: don't sell off your stock right after a material adverse event. If, as Equifax maintains, the CFO did not know about the hack, that speaks to a different (colossal) failure of corporate governance.
We learn that the security issue making the hack possible (an Apache flaw) was revealed in March, the hack occurred in May, Equifax says they didn't know about it until July, but they didn't tell the rest of us until September.
Lesson 2: the longer you wait, the worse it gets. Major events need to be disclosed immediately, so that consumers can take steps to protect themselves.
The website that Equifax set up to tell consumers whether or not they have been hacked, itself, is awash in security failure, such as improper or missing certificates. It's a site just begging for someone to hack to capture more personal information, maybe pick up the consumers who were missed the first time around.
Lesson 3: if you're going to restore order, make sure you actually get it right.
People started digging around the terms of service on the site, where they discovered that just the act of checking to see whether or not you've been hacked would result in you waiving your rights to join a class action suit. Yes, technically, you could send in a written notice opting out of the binding arbitration provision embedded in the TOS, but most people aren't even going to know to check for that arbitration provision in the first place. The New York State Attorney General has taken notice.
Lesson 4: contracts of adhesion are a terrible idea in the middle of a crisis. They probably create more liability than they prevent.
Several other issues arose. For example, people reported false positive and false negative results; apparently all you have to do is put in "Mickey Mouse" and a random string of numbers for your Social Security number, and it will report that you were part of the breach. A security researcher, Brian Krebs, found a new breach whereby lots of detailed info, from people who complained to Equifax's Argentinean operation, could be downloaded with the user ID "admin" with a password of "admin" (one of the most easily guessed combinations imaginable). ZDNet tells us that security research Martin Hall uncovered another security hole - this one in the Equifax website you go to in order to sign up for the recommended alerts for people whose credit data has been comprised. You can't make this stuff up.
Lesson 5: see lesson 3.
Astute observers note that the Chief Security Officer has a music degree. (edit: and she does not appear to have post-university certification or training that would lead one to believe she was qualified for the position, based on her LinkedIN profile) On the one hand, I am not one to sling stones, as I do not have a computer security degree either. On the other hand I'm not the Chief Security Officer of a major public company. You wouldn't hire someone unable to read a balance sheet and put them in charge of your finance function, for example.
Lesson 6: cybersecurity is not for amateurs.
So what can you do, if your personal information has been stolen? It likely has, if you’re in the US, given that approximately two thirds of the US adult population was affected. Normally what you would do is freeze your credit, meaning that special action would be necessary for someone to be able to open a new credit card or other account in your name.
In fact, if you check with Equifax, they're happy to do this, for the low fee of $10. That's right, they are actually making money off of their cyber screwup. Adding insult to injury, the "secret PIN code" to unfreeze your credit is just the time and date stamp of when you requested freeze. Not even a simple division hash with the magic number. Plaintext encoded time-and-date.
Lesson 7: if you screw up badly, at least make it look like you’re trying to make amends.
Imagine the goodwill Equifax could have engendered if they had made a timely announcement of the breach, notified affected customers proactively, offered to do free credit monitoring and a free credit freeze for everybody for a year, and made sure to put top cybersecurity people in place to protect the critical personal information that is the core of their business. Even after the hack, they could've brought in a top-flight team for damage control and remediation.
Lesson 8: it's never too late to start good cybersecurity practices.
In closing, I suggest you: freeze your credit, scrub your computer with antivirus, backup your files, and change your passwords. Prevention begins at home.
Sandy Pentland, Howie Shrobe and I have a new book on cybersecurity coming out January 5, appropriately titled "New Solutions for Cybersecurity", which is being released by MIT Press.
Sign up for my online fintech class, Oxford Fintech!
The views in this blog are my own and do not necessarily reflect those of MIT, Oxford, Distilled Analytics, or other entities with whom I am affiliated.
Simplifie la vie des entrepreneurs @ Tiime : factu , compte pro, compta et gestion admin ?? ?? ??
7 年Thx ! Concise and to the point David Shrier Regarding lesson 2, and to provide you with some European context, here the general data protection regulation, coming into effect may 2018, will force companies to report any data leak within 48 hours. I'm curious to see its effects as most are still in a culture of secrecy regarding the frequent (hopefully mostly not wide and critical) data leaks they are suffering !
High Impact Operator & Strategist @ PWM Associates | MBA
7 年Equifax blew it on all fronts. And continues to. I just spent 30 minutes or more on the phone with an automated system that then said it was too overloaded to process my credit freeze (as all of my info seems to have been breached) and that I needed to call back. So, they are still blowing it. And one might think it's competitors would see these as an opportunity to shine, but that is not the case for Trans Union or Experian, where despite being a long term paying customer because of a previous breach by Anthem of my son's detailed information I cannot get live help or freeze my credit on the phone. Innovis who I had never heard of previously seems to be the only capable organization. This will be fodor for years. I cannot wait until the CFO testifies about selling stock after the breach that he supposedly did not know about.
Board Chair, Author, Speaker
7 年Good article, @davidshrier . Stay tuned all for the supposed-to-be-effective on Monday the 18th #ConsumerFinancialProtection Bureau rule prohibiting #FORCEDARBITRATION. There are rumblings to suggest big players (guess who) are working diligently to undermine. To read the 225 page rule in the #federalregister go to 82FR33210 CFPB #CPFB docket number CPFB-2016-0020 #equifax #wellsfargo I'll be posting more information later today.