Equifax: An object lesson in how not to handle a data breach
The company's disgraceful post-incident conduct is nothing short of a slap in the face for victims
Over the last two years, Equifax has proven itself to be the cyber security equivalent of Mr Bean, blundering its way through a series of ever-increasing calamities with embarrassing regularity. First came the frankly cavalier attitude to cyber security that laid the groundwork for 2017's mammoth data breach, including a slapdash cyber security strategy and insufficient data protection measures. So poor was the company's security that a report from the House Oversight Committee called the breach "entirely preventable".
Next came the breach itself, which was discovered in mid July but had started several months earlier and led to more than 145 million people having their sensitive personal data stolen. Despite the colossal number of individuals who were affected, the company waited over a month to alert victims to the fact that cybercriminals may have made off with driver's license numbers, dates of birth and addresses. We later learned that then-CIO Jun Ying made ample use of this delay to offload just under $1 million in Equifax shares before news of the breach tanked their value - an act of illegal insider trading for which he was sentenced to four months of jail time and hundreds of thousands in fines and restitution.
As the months rolled on, the impact of the breach gradually crept up, first with the news that millions more people had been affected than previously thought rising from an initial estimate of 143 million people to 145.5 million in October 2017, and then with the company's admission that social security numbers, email addresses and phone numbers were also taken. At every stage of the process, Equifax's conduct and handling of this breach has been at best incompetent.
The one silver lining for those affected was the knowledge they could at least get some restitution in the form of cash compensation from Equifax. The company reached an agreement with the Federal Trade Commission just last month that set the base level of compensation per person at $125 cash or 10 years of free credit monitoring.
Larger amounts were available for those who could prove they spent time or money dealing with identity theft as a result of the breach, but even as a baseline, $125 is an insultingly low amount to compensate someone for having their data stolen.
Here's the kicker, though: The victims won't even get that paltry sum.
As it turns out, although Equifax claimed all victims could choose the cash payment over the free credit monitoring, the company only set aside a $31 million pot to pay for the cash compensation. Do the maths even if only half of the 145 million victims chose the cash option, that still works out at less than 50 cents per person.
Fifty. Measly. Cents.
For anyone who was affected, that's a slap in the face, made all the more insulting by the fact that Equifax pulled in $3.4 billion in revenue last year. Not only that, but now-departed CEO Richard Smith is in line to cash out his stock bonuses for a cool $20 million. And while the company's net income was halved compared to 2017, for those who had their data stolen it's cold comfort.
The cash compensation option has now been removed entirely due to the number of claims filed, presumably because the amount per person dropped too low for even Equifax to try and sell with a straight face.
The company will, of course, argue that the free credit monitoring represents better value for money than the $125 cash award. While that's true, I don't know that I would trust Equifax to monitor my credit after this fiasco and I'm sure those affected will have their own reservations too.
This whole incident aptly demonstrates the importance of setting aside a substantial war chest for dealing with data breaches. The costs can mount up quickly; along with the costs of bringing in emergency consultants and security specialists at short notice, buying in new tools and paying fines, companies have to make sure that they have enough cash on hand to adequately compensate the victims if they end up accidentally exposing their personal information.
Quite aside from the fact that fairly compensating breach victims is the right thing to do, not doing so can result in lasting reputational damage equal to or in excess of that caused by the breach itself. Look at Equifax; the company is now making headlines again, reminding everyone why they were so angry with them in the first place. It may not be pleasant, but it's part of the cost of a breach, and the only way to avoid it is to prevent a breach in the first place.