(Part Three of a Three Part Series)
As the narrative on the Equifax compromise evolves, the general public, politicians, and speculators continue to seek blame for what happened. Was it an unpatched vulnerability? Was Equifax not following proper configuration management? Was management derelict in their duties? At this point, the damage of leaking records including the personally identifiable information (PII) of 143 million people is done. However, it might be a good to look at what could have been done differently to reduce impact to the organization. I’m not saying there shouldn't have been more security controls, more oversight, or better configuration management. Much of this has been covered, both in our preceding blogs and throughout the security community and technical press, and will continue to be evaluated; what I am saying is that stuff happens and fallout ensues, so be prepared to respond, and know that how you respond can make a world of difference.
Based on the information provided so far, the complete picture of how Equifax responded initially to the compromise is not yet clear, though I am sure these details will come out at some point. What is abundantly clear is that their public announcement, details shared, and customer support provided did little to calm fear, outrage, or anger. If anything, it may have made things worse for Equifax. At Coalfire, one of my duties is to help our clients prepare for and respond to events and incidents (check out our Incident Response Advisory services). As part of preparation, we conduct tabletop exercises designed to assess and test our clients’ ability to respond to an incident. A common gap we identify in our client’s plans is how to address external entities like law enforcement or the media.
As trusted partners, we try to coach our clients that Incident Response is more than an IT issue; it involves the entire organization. In fact, we encourage our clients to have public relations included as part of the incident response team, not to mention adding external legal counsel. Also, depending on the client and their business, we try to coach involvement of the customer service department. If we step back and look at the non-technical issues with the Equifax compromise, they have struggled with messaging, though there are certainly inherent difficulties in messaging the loss of 143 million customer records. Although, providing some free guidance on how best to protect yourself would have been a solid start as Equifax essentially stated, sign up for free credit monitoring for 1 year. They could have provided the public with steps to freeze your credit (see more info below) as well as free credit monitoring for 1 year. Customer service should also have been better prepared to handle the volume of clients seeking answers, trying to set up their year of free credit monitoring, and trying to freeze their credit. There have been many reports of busy signals when trying to call customer service, customer service agents without the necessary information to assist, and slow or dysfunctional web applications for supporting either the credit freeze or signing up for the free credit monitoring. Further adding to Equifax’s customer image issues, they Tweeted out a link to a fake website.
To summarize, it is still not fully clear what Equifax could have done technically different to prevent the loss of the data or limit the damage. But there is little question that they could have handled the public response far better, which would have greatly minimized the public perception problem they are experiencing. Not that it matters now, but I would have suggested testing worst case scenarios (and often do), so that Public Relations, Customer Service, executives, and external counsel could be better coordinated on a public response, potentially avoiding some of the missteps this compromise has highlighted.
If you are interested in practicing and improving your preparedness, you may wish to watch this webinar, courtesy of Coalfire and Holland & Knight. And finally, if you haven’t done so already, review the links below to freeze your credit files, and share this information with friends and family. You can also do this for your children!
Freezing Your Credit: Depending on your state, freezing your credit may be free, or may require a small fee.
To freeze your credit, visit:
Sign up if you don’t have an account, and follow the instructions.
Experian: https://www.experian.com/freeze/center.html (main page)
To sign up: https://www.experian.com/ncaconline/freeze
Lessons Learned: Protecting Confidential Data Blog Series
Part 1: You Might Not Be as Secure as You Think
Part 2: The Value of Governance in Minimizing Cybersecurity Incidents
Part 3: How You Respond Can Make All the Difference