The Equifax breach, first revealed to the public on September 7, 2017, continues to stand as one of the most consequential data breaches in the history of the digital era. 145 million Americans’ learned that their personal data—their identities and financial information—had been outright stolen from under Equifax’s nose. The full effects of the damage are still being understood and uncovered, even after 5 months. Here are 3 things we learned recently about the Equifax data breach and what it might mean for your enterprise:
1. Equifax Knew About Their Security Issues Well Before The Hack…And Did Little
A report released yesterday by Senator Elizabeth Warren (D-MA) stated that the national credit reporting agency’s cybersecurity and identity protection systems were totally inadequate prior to the attack. Senator Warren alleges that Equifax received numerous warnings beforehand, both in the form of smaller hacks leading up to the massive breach and an explicit warning from the Department of Homeland Security (DHS). Most distressingly, the DHS warning pointed to the exact security vulnerability the hackers took advantage of to obtain the stored personal data.
Yet despite all this, Equifax took few concrete actions to secure themselves before the hack. They did email their staff to fix the security hole the DHS indicated, but never bothered to follow up on whether it had been accomplished. If there is a major takeaway it is that enterprises must take cybersecurity seriously. It is not an abstract issue that can be dismissed or casually passed over to another department—it must be an active part of your corporate discussions and concerns.
2. Equifax Delayed Notifying Any Affected Parties of the Data Breach By Over A Month
In the eyes of Senator Warren, the most damning charge against Equifax is their failure to notify consumers, investors, or regulators about the breach after it had been discovered on July 29, 2017. The breach actually took place on May 13.
Equifax took over a month to alert anyone of the loss of millions of citizens’ personal data, preventing the affected from taking proactive measures to protect their identities or the government from taking steps to reduce the damage. After the announcement, customers reported feeling that Equifax response was inadequate. Their crisis management hotline left many on hold for hours, and when they did reach someone Equifax refused to tell them if their identity had been compromised.
Needless, the slow, misleading, and distinctly unapologetic response has severely damaged Equifax’s reputation, possibly even more than the hack itself. To paraphrase Upguard researcher Chris Vickery, who disclosed the Octoly data breach of thousands of social media influencers’ identities, the disappointment is not in the hack but in the response. Not only will Equifax’s brand be tarnished for a long time to come, but this tarnish may start to eat away at their profits.
3. Consumers Are Statistically Less Likely To Patronize Enterprises That Treat Their Data Poorly
In her report, Senator Warren stated that Equifax prioritized using the hack as a potential for profit rather than helping consumers through the difficulties they caused. Therefore, she argues, the U.S. needs stronger regulations protecting consumer identities and data and harsher punishment for cybersecurity negligence.
While it is not clear yet whether her cause will translate into concrete federal action, the court of public opinion may prove an even more powerful force for enacting change in corporate preparation for, and responses to, data hacks.
A recent survey, separate from Senator Warren’s report, of 7,500 consumers across Europe and the U.S. revealed that 62% would blame the corporation above the hacker as responsible for the loss of their personal data. 78% stated that the manner in which a company handles consumers’ identities affect their reputation and whether consumers would buy from them, and 58% would be less likely to purchase services from a company for misusing data. An average of 69% said they would—or already have—boycotted companies that treat consumer identity information carelessly. Furthermore, the Octoly hacking and dawdling response revelations has infuriated their social media influencers and business partners, which may cost the company business and promotions in the future.
Reputation has a direct relationship to an enterprise’s bottom line; it’s an indicator of consumer, client, and partners’ trust, and without that trust a transaction becomes significantly less likely. The Equifax breach shows that being proactive, rather than reactive, to hacks and data breaches is the key to successfully recovering. If your enterprise takes adequate precautions to prevent a hack—finding the right identity management solution, managing what employees have access to what databases and evaluating permissions, setting up a comprehensive incident response plan— you can mitigate the effects of a hack before it happens. Instead of being tarnished in the aftermath, your enterprise can project, cool, rational, and empathetic image to the public that can alleviate the reputation damage of a breach. You can show hackers that you will not be brought low by their efforts, and you show customers that they can trust you with their data.
Equifax may not truly recover from its breach, whether Senator Warren’s proposed legislation passes or not. Don’t let your enterprise be next.