2017 CLBR Zero: Equifax

On December 20, CLBR will have our annual year-end Heroes and Zeros episode in which, with guests Brenda Christensen, Denise Howell and Dan Tynan, we highlight those doing wonderful things on the internet and those deserving a cyber lump of coal.  This year, in order to give credit (and shame) where it is due,  I am naming my hero and zero “nominees” individually and today’s dishonoree is Equifax.

In September, credit reporting agency Equifax announced a data breach in which hackers gained access to data for approximately 143 million Americans (or approximately 44 percent of the population).  As some have noted, this is not the biggest data breach in history, but it may be the worst.

What Data Was Hacked

According to Equifax, the breach affected the following:

Most of the consumer information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed. In addition to this site, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. We have found no evidence of unauthorized access to Equifax’s core consumer or commercial credit reporting databases.

Equifax Response

Equifax has come under heavy criticism for its response.  It took six weeks for it to report the breach and three of its top executives sold $1.8 million worth of their company stock following the breach.  Then the website Equifax created to enable consumers to determine if they were affected by the data breach initially required that consumers agree to mandatory arbitration of any claims, which the company backed down on after a huge backlash.

Equifax also was criticized for attempting to make money off their breach, by having credit monitoring services auto-renew after the free first year (with consumers being charged automatically).

What Next?

Equifax’s data breach will likely be investigated by the Federal Trade Commission, the Securities and Exchange Commission, state Attorneys General and Congress.  This could be an Exxon Valdez type of event that triggers further regulation of the credit reporting space or Big Data.

The New York Times’ Seriously, Equifax? This Is a Breach No One Should Get Away With”:

Equifax, you had one job. Your only purpose as a corporation, the reason you were created and remain a going concern, is to collect and maintain people’s most private financial data.  Now you have fallen down on your only job — and spectacularly so. Hackers penetrated the spectral gauze of security surrounding your website, and over the course of nearly two months, they made away with the personal information of as many as 143 million Americans. It is the most important financial data available on any of us — our names, birth dates, Social Security numbers, home addresses and in some instances a lot more — and it was just sitting there on your site, all but wrapped up in a red bow.

So, Equifax, I have to ask: Now that you have failed at your one job, why should you be allowed to keep doing it?

TechCrunch was equally appalled, explaining:

This crass, callow, and lazy treatment of our digital data cannot stand.  . . . We must create new, secure methods for cryptographically securing our data… These old organizations — Equifax was founded in 1899 and hasn’t changed much since inception — must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

David R. Smith has a twitter thread that details the many outrages associated with the breach.

Annual Heroes and Zeros Show

Listen on Wednesday, December 20th at 1PM ET / 10AM PT on WebmasterRadio.fm as I discuss the Heroes and Zeros for 2017 with our special guests – Brenda Christensen, Denise Howell and Dan Tynan.

the judges