What do you do if you're the CEO of an extremely profitable credit bureau business that's suffered a massive breach, leading to Congressional probes, consumer outrage measured in dozens of lawsuits and counting, formal investigations by state attorneys general and calls for your resignation?
Answer: Issue a mea culpa via USA Today apologizing for the breach and promising to do better.
"We will make changes and continue to strengthen our defenses against cyber crimes."
At least, that's the strategy being pursued by Richard F. Smith, chairman and CEO of Equifax, after his firm on Thursday issued a breach alert, saying that personal information on 143 million Americans appears to have been exposed (see Equifax Faces Mounting Anger, $70 Billion Lawsuit).
"This is the most humbling moment in our 118-year history," Smith writes.
The breach ranks among the worst ever seen. Potentially stolen data included not only names, addresses and birthdates, but also Social Security and driver's license numbers. Security experts say the scale of the breach - half of all U.S. adults may be impacted - once and for all burns Social Security numbers as identifiers and leaves all victims at elevated risk of identity theft (see Equifax Breach: 8 Takeaways).
Equifax has promised to do better. "We are devoting extraordinary resources to make sure this kind of incident doesn't happen again," Smith writes.
Talk, however, is cheap, and Smith's assertion overlooks the fact that for anyone whose personal details, including Social Security number, were compromised, it doesn't matter if it happens again. Their information is likely now at large and being bought and sold on the cybercrime underground.
Just as data brokers such as Equifax gather information on consumers, in this case to help other businesses judge their creditworthiness, cybercrime groups also gather information on consumers and use these types of breaches to improve the information they already hold on any given individual. Doing so makes it easier to target individuals with phishing attacks or to run scams such as filing fake tax returns in their name.
Like many breached businesses, Equifax is now promising to try harder to make sure that it never again gets breached so badly, begging the question of whether it previously failed to take information security as seriously as it should.
"We will make changes and continue to strengthen our defenses against cyber crimes," Smith writes. "We will make sure every consumer who wants protection has a full package of services. And we will continue to update everyone on our progress."
As of Tuesday, Equifax says 15 million consumers visited its breach notification site and 11.5 million had begun enrolling in its identity theft monitoring service. In my book, a bit of breach justice would be if Equifax had to pay one of its rivals to provide identity theft monitoring services for victims.
It's also worth noting that ID theft monitoring is no silver bullet. Individuals whose personal details have been stolen will now have to watch for potential fraud being committed. That's not a pastime anyone would have ever signed up for. Equifax, meanwhile, will continue to generate profits by tracking and selling access to the very information it's already lost.
On the upside, Equifax has at least temporarily dropped the fees it charges to freeze people's credit reports - which multiple state attorneys general and consumer advocates have recommended all victims do - and there are suggestions that Equifax might also pay Experian and TransUnion to freeze victim's credit reports, The New York Times reports.
Six Weeks to Notify
In his USA Today column, Smith defended his business taking six weeks - after it discovered the breach on July 29 - to notify victims, saying that it took investigators that long to piece together what had happened.
"Shortly after discovering the intrusion, we engaged a leading cybersecurity firm to conduct an investigation," he writes. "At the time, we thought the intrusion was limited. The team, working with Equifax Security personnel, devoted thousands of hours during the following weeks to investigate."
In fact, taking six weeks to notify victims is common and often warranted. Security experts say that whenever possible, organizations should identify as many details as possible about a breach, such as who was affected, so that the notification doesn't just cause panic, but instead gives breach victims the information they need to safeguard themselves as much as possible (see Data Breach Notifications: What's Optimal Timing?).
No Details: British and Canadian Victims
So far, however, Equifax has yet to detail how many British and Canadian consumers were affected by the breach, but has promised to work with regulators. Britain's data privacy watchdog, the Information Commissioner's Office, says it's investigating, and it called on Equifax "to alert affected UK customers at the earliest opportunity."
"Reports of a significant data loss at U.S.-based Equifax and the potential impact on some U.K. citizens gives us cause for concern," ICO Deputy Commissioner James Dipple-Johnstone said in a Friday statement. "We are already in direct contact with Equifax to establish the facts including how many people in the U.K. have been affected and what kind of personal data may have been compromised."
Easy Damage Control
Smith's USA Today apology doesn't reveal any new information of substance about the breach. But it does serve as easy damage control for the publicly traded business.
Nevertheless, the pressure on Equifax is continuing to increase. The Federal Trade Commission, which typically refuses to comment on whether or not it has launched an investigation of any particular organization, has made an exception in Equifax's case. "The FTC typically does not comment on ongoing investigations," says Peter Kaplan, the FTC's acting director of public affairs. "However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."
Despite having to answer questions before Congress or maybe settle a consolidated class-action lawsuit for millions of dollars several years from now, it's unlikely Congress would pass any laws that make life difficult for Equifax or the other two major U.S. data brokers - Experian and TransUnion.
In time, Equifax's stock price will recover and it will move on like nothing ever happened (see Cynic's Guide to the Equifax Breach: Nothing Will Change).
Banks Could Ditch Equifax
One potential wrinkle is that banks and some other financial services firms are considering ditching Equifax for its rivals, the Wall Street Journal reports. Some large banks, in particular, believe Equifax has handled the breach poorly by failing to give them advance warning and still not saying how it was hacked (see Is Unpatched Apache Struts Flaw to Blame for Equifax Hack?).
Whether these banks put their money where their mouth is, however, remains to be seen. Nor is turning to Equifax's rivals an assured way to ensure that consumers' data is better protected. Experian, for example, has suffered more than 100 data breaches in recent years, and one of its subsidiaries sold data to a Vietnamese ID theft ring that committed fraud on a massive sale.
Story updated (Sept. 14) with comment from the FTC.