In July of this year, Equifax suffered a data breach that saw the loss of personal data for around 145.5 million customers – nearly half of all adults in the USA, as well as thousands of customers in the UK and Canada.
After a damning indictment at a Congress subcommittee, former Equifax CEO Richard Smith – who resigned in the wake of the scandal – has apologised to those affected and admitted serious errors had been made.
The sheer magnitude of the breach and its ensuing fallout has had many industry leaders wondering how to learn from Equifax’s mistakes and safeguard against similar future catastrophe.
Human and Technology Error
In an attempt to explain what exactly went wrong in the lead-up to the Equifax breach, Smith blamed both ‘human error and technology errors’, citing the failure of a manager to patch a known software flaw – despite a warning from Homeland Security – and the further failure of automated scans to detect the resulting vulnerability.
The lesson here, it appears, is a fairly simple one; had Equifax had an efficient company security policy that ensured the implementation of the correct software patch, the breach could have potentially been avoided. Similarly, more regular and rigorous testing – and updating of testing software – could have meant that their own scans detected the vulnerability even in the event of human error.
Safeguard your Reputation
However, Equifax’s failings did not end there.
Despite security officials detecting ‘suspicious activity’ in late July, Equifax took over a month to inform customers not only of the extent of the breach but that there had been one at all.
The rollout of a website designed to help customers find out if they were affected was a disaster, with social media accounts repeatedly sharing incorrect website details.
Equifax call centres were also ‘overwhelmed’, with many customers suffering long hold times or no agent assistance at all. While proper security systems and correctly implemented secure payment solutions are paramount in preventing breaches in the first place, the Equifax disaster makes it evident that every company should have a contingency plan in place ‘just in case’.
Informing customers and the correct regulatory groups of the breach as soon as you know, planning for extra support resources, and support packages and compensation plans were all things Equifax could have had in place to prevent the ensuing rapid loss of reputation.
While Smith asserts that measures have now been put in place to help those affected, such as the eventual offer of a support package, many feel Equifax is offering too little too late. Members of the Congress committee stated that those affected “now face a lifetime of risk” and called the breach “a betrayal of consumers’ trust”.
It now falls to other industry leaders to learn from these mistakes and ensure that strict measures are taken in their own organisations to safeguard against similar failings.
As for Equifax, congressman Frank Pallone perhaps put it best: “If Equifax wants to stay in business, its entire corporate culture needs to change to one that values security and transparency.”