Equifax Forgets the Facts of Cybersec
Most of you have heard about the Equifax breach impacting 143 million individual’s PII, including name, address, Social Security numbers and any active credit disputes.
- Take a deep breath. Brian Krebs (krebsonsecurity.com) noted that “…as bad as this is, the fact is, your stuff probably had been out there already.” Did you vote Republican in the past ten years? The RNC released your name, address and voter detail and partial social security numbers earlier this year (200 million + records). Or do you order your paper bank checks from Harland? Four years ago, Harland released this data, but that release occurred two-months before Target, so the leak was overshadowed by the red and white bullseye brand.
- Freeze your credit. Freezing your credit will make it very difficult for new credit to be obtained in your name. Credit monitoring tells you after the bad guys do something. Lock the door and don’t let them in. Just make certain that you don’t lose those codes you get to unfreeze your credit!
- Visit the Federal Trade Commission for an excellent summary of what to do next.
- A company such as Equifax is relentlessly attacked daily; your defenses have to work ALL of the time. The bad guys need only one failure in your defense system.
What appeared to have started as an effective cybersecurity response however, has now been coined a “Dumpster Fire” by a leading cybersecurity group. This emerged from an initial response creating a secondary crisis: an ineffective or poorly planned response will cloud all other messaging. Let’s take a closer look:
1) The Equifax initial statement encouraged people to visit equifaxsecurity2017.com, enter the last six digits of their social security number, and to check see if they were impacted. If impacted, the company would provide the user with free credit monitoring through Equifax’s premier product. Unfortunately, the site does not work as one would expect and worse, had poor business practices embedded:
a. The status of a user changed however, depending on which type of device – computer, Android, Apple– was used to test.
b. Entering gibberish yielded an answer – type in ‘Test’ or ‘121212’ and the result was an affirmative answer.
c. If a positive answer was received, the user was notified of a ‘registration date’, and cautioned to securely save the registration date information as no other notices would be sent. At 10 pm Thursday night 09/07/2017, my date was 09/13/2017. Did they even have a functioning portal?
2) The original TOU for services for credit monitoring included a waiver of right to sue, or to be included in a future class-action suit against Equifax. Remember the offer to supply free credit monitoring for anyone who wanted it? That offer doesn’t sound as altruistic in light of this clause. Why wouldn’t you just go to one of their competitors or better yet, freeze your credit? The company later removed this clause after several State Attorney Generals objected.
3) Three officers sold stock after the company discovered the breach and before they announced, including John Gamble CFO, and two brand presidents – Information Solutions and Workforce Solutions. The CFO sold 13.3% of his holdings and did not utilize the safe harbor 10(b)(5) rule (effectively a blind trust normally used by C-Suite officer,s due to the fact that they are always in procession of inside information.) The company responded that these people had no knowledge of the breach and these represented a small portion of their holdings. What? The CFO and Information brand president were unaware that a major breach took place and that a forensics firm had been engaged? That seems unbelievable at best and a total lack of a cybersecurity response plan at worst. As a former CFO of a public company, if I sold 13% of my shares, no one would see that as a small percentage.
4) Revictimization Issues. First: asking someone to click a link and enter six digits of their social (normal login with Equifax as a customer required your user name and four digits) will lead to spam email with the same questions, and inevitably lead to revictimization. Although tempting to reduce costs, best practices are for snail-mail notifications of a breach. Bad guys will capitalize on an email campaign and phish your customers; it’s part of the drill. Equifax certainly knows best practices. Second: how many companies who were already breached used Equifax for their victims? Many of those victims joined “under an abundance of caution” and in reality, had no information compromised…until now.
5) Repercussions. It won’t be long before Congress will ‘request’ management to meet with them – the risks to Senior management are escalating by the moment, and in turn the risks to the Board of Directors. A poor response can increase risks exponentially. The malfunctioning website, a hidden waiver of liability, the sale of executive stock and overall poor execution will impact the Brand for a very long time to come. Look for some terminations/resignations in the near future.
6) Preferred Provider No More. What about those existing Cybersecurity Response Plans that have Equifax written into them as the preferred provider for credit protection? I imagine that companies will ‘rethink’ who their preferred provider should be going forward.
If Equifax had a Cybersecurity Response Plan, it was not designed nor tested effectively. This is a very visible teaching moment and serves all professionals well – in any industry – to educate management, leadership and Boards on the importance of effective plan development and testing. It doesn’t matter how large or small the businesses are, the impact on customers and reputation will be the same.
Cybersec is no longer ‘optional’.
About the Author: Jack Healey, CPA/CFF, CFE
Mr. Healey is an expert in operational, financial and organizational governance strategies and tactics. He has focused on those elements of business operations which increase cost, drive inefficiencies and reduce the effectiveness of an organization’s performance. He now instructs business executives how to eliminate these ‘financial mud holes’ in their organizations.
Mr. Healey’s unique background as a trained negotiator, a COO/ CFO and Corporate Secretary of a public company (coupled with a successful career as an audit and forensic partner and fraud fighter in a public accounting firm) brings a unique perspective to address the financial, governance and human elements which impact a business.
He has developed the Business Crisis Predictive Diagnostic Model™ which identifies the hidden crisis-risks imbedded in businesses before they become a crisis. He has used this model to successfully identify process and functional deficiencies. If left unaddressed, these would significantly impact the people, profitability or reputation of an organization.
Mr. Healey has spent his carrier helping board of directors, executive leadership and stakeholders resolve business crises and improve the value of their businesses. He is an avid educator and has most recently guest lectured at Syracuse University, University of Alabama and Kennesaw State University. His presentation topics include Business Crisis-Risk™, Supply Chain Risk, Effective Interrogation Techniques and Occupational and Cyber Fraud.
He is a graduate of Syracuse University Whitman School of Management, BS Accounting- CPA where he graduated Magna Cum Laude. Mr. Healey is a member of the Business Advisory Board for the Lubin School of Accounting, Whitman School of Management, Syracuse University; American Institute of Certified Public Accountants; Association of Certified Fraud examiners; National Association of Corporate Directors. He has held board positions on several not for profit organizations which focused on health and education issues.