Equifax: An object lesson in how not to handle a data breach

The company's disgraceful post-incident conduct is nothing short of a slap in the face for victims

Over the last two years, Equifax has proven itself to be the cyber security equivalent of Mr Bean, blundering its way through a series of ever-increasing calamities with embarrassing regularity. First came the frankly cavalier attitude to cyber security that laid the groundwork for 2017's mammoth data breach, including a slapdash cyber security strategy and insufficient data protection measures. So poor was the company's security that a report from the House Oversight Committee called the breach "entirely preventable".

Next came the breach itself, which was discovered in mid July but had started several months earlier and led to more than 145 million people having their sensitive personal data stolen. Despite the colossal number of individuals who were affected, the company waited over a month to alert victims to the fact that cybercriminals may have made off with driver's license numbers, dates of birth and addresses. We later learned that then-CIO Jun Ying made ample use of this delay to offload just under $1 million in Equifax shares before news of the breach tanked their value - an act of illegal insider trading for which he was sentenced to four months of jail time and hundreds of thousands in fines and restitution.

As the months rolled on, the impact of the breach gradually crept up, first with the news that millions more people had been affected than previously thought rising from an initial estimate of 143 million people to 145.5 million in October 2017, and then with the company's admission that social security numbers, email addresses and phone numbers were also taken. At every stage of the process, Equifax's conduct and handling of this breach has been at best incompetent.

The one silver lining for those affected was the knowledge they could at least get some restitution in the form of cash compensation from Equifax. The company reached an agreement with the Federal Trade Commission just last month that set the base level of compensation per person at $125 cash or 10 years of free credit monitoring.

Advertisement
Advertisement - Article continues below

Larger amounts were available for those who could prove they spent time or money dealing with identity theft as a result of the breach, but even as a baseline, $125 is an insultingly low amount to compensate someone for having their data stolen.

Here's the kicker, though: The victims won't even get that paltry sum.

As it turns out, although Equifax claimed all victims could choose the cash payment over the free credit monitoring, the company only set aside a $31 million pot to pay for the cash compensation. Do the maths even if only half of the 145 million victims chose the cash option, that still works out at less than 50 cents per person.

Fifty. Measly. Cents.

For anyone who was affected, that's a slap in the face, made all the more insulting by the fact that Equifax pulled in $3.4 billion in revenue last year. Not only that, but now-departed CEO Richard Smith is in line to cash out his stock bonuses for a cool $20 million. And while the company's net income was halved compared to 2017, for those who had their data stolen it's cold comfort.

The cash compensation option has now been removed entirely due to the number of claims filed, presumably because the amount per person dropped too low for even Equifax to try and sell with a straight face.

The company will, of course, argue that the free credit monitoring represents better value for money than the $125 cash award. While that's true, I don't know that I would trust Equifax to monitor my credit after this fiasco and I'm sure those affected will have their own reservations too.

This whole incident aptly demonstrates the importance of setting aside a substantial war chest for dealing with data breaches. The costs can mount up quickly; along with the costs of bringing in emergency consultants and security specialists at short notice, buying in new tools and paying fines, companies have to make sure that they have enough cash on hand to adequately compensate the victims if they end up accidentally exposing their personal information.

Quite aside from the fact that fairly compensating breach victims is the right thing to do, not doing so can result in lasting reputational damage equal to or in excess of that caused by the breach itself. Look at Equifax; the company is now making headlines again, reminding everyone why they were so angry with them in the first place. It may not be pleasant, but it's part of the cost of a breach, and the only way to avoid it is to prevent a breach in the first place.

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354232/raspberry-pi-4-owners-complain-of-broken-wi-fi-when-using-hdmi
Hardware

Raspberry Pi 4 owners complain of broken Wi-Fi when using HDMI

29 Nov 2019
Visit/cloud/amazon-web-services-aws/354223/what-to-expect-from-aws-reinvent-2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019