As the Office of the Australian Information Commissioner has recently issued draft resources for Notifiable Data Breaches it is useful to review how credit reporting agency Equifax USA responded to its recent “cybersecurity incident” which exposed U.S. Social Security numbers, birth dates, addresses and drivers licenses for approximately 143 million people.
What happened
On 7 September 2017 Equifax announced:
“a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents.”
Although Equifax said it discovered the unauthorized access on 29 July 2017 it now appears (according to Wired) that Equifax was aware of the security flaw in March and it took 141 days to discover the breach with hackers likely accessing the system for months.
Equifax’s response
Equifax has been criticised for its response including:
- the company waited more than a month (and possibly longer) to alert the public to the breach;
- the company directed potential victims to a separate domain—equifaxsecurity2017.com—instead of simply building pages on its main, trusted website, equifax.com;
- Observers quickly found bugs, some of them serious, in that breach-response site;
- Equifax asked people to trust the security of the new site, and to submit the last six digits of their Social Security number as a way of checking whether their information had been potentially compromised in the breach;
- Equifax required site users to waive their right to sue Equifax;
- the company’s official Twitter account mistakenly tweeted a phishing link four times, instead of the company’s actual breach response page;
- the company’s call centre couldn’t manage the volume of calls it received;
- three of its executives sold stock days after the hack was detected.
The Equifax Chairman and CEO stepped down after criticism of Equifax’s response and apology.
The Chief Information Officer and Chief Security Officer also retired and are being replaced. (Equifax updates).
The interim CEO issued a new apology (initially behind the Wall Street Journal’s paywall) and announced that:
“By Jan. 31, Equifax will offer a new service allowing all consumers the option of controlling access to their personal credit data. The service we are developing will let consumers easily lock and unlock access to their Equifax credit files. You will be able to do this at will. It will be reliable, safe and simple. Most significantly, the service will be offered free, for life.”
What the OAIC recommends
The NDB scheme requires entities to notify individuals about an eligible data breach.
Entities are also required to prepare a statement and provide a copy to the Australian Information Commissioner. The OAIC’s online form may help entities to do this. But if you look at the Equifax scenario, it is clear that a proper response requires more than filling in a form.
The OAIC says that an eligible data breach statement should include the name and contact details of the entity, a description of the eligible data breach, the kind or kinds of information involved, and what steps the entity recommends that individuals at risk of serious harm take in response to the eligible data breach.
Entities must notify affected individuals about the contents of this statement or, if this is not practicable, publish a copy of the statement on the entity’s website and take reasonable steps to publicise the contents of the statement.
The Equifax example shows that customers expect full disclosure, a meaningful apology and adequate customer support.
Contact David Jacobson if you’d like to discuss how your organisation should prepare for a data breach.