Credit-ratings giant Equifax recently reported a breach that resulted in the loss of 143 million customer records.
Yahoo may still hold the record for the largest breach in history, but Equifax now holds the record for the stupidest.
In the cybersecurity world, Equifax is the new poster child for carelessness, ignorance, advanced stupefaction, and greed. It may also have set the standard for criminal negligence.
The company used website technology known widely to be insecure to protect the personal and sensitive information of half of America. Equifax made things worse with a cynical offer of a “trusted” $20/month credit monitoring service for which you would have to sign away your rights to participate in a class-action suit.
[lz_ndn video= 32955859]
Running a transactional website on the least secure web platform on the planet is hideous enough, but the company could at least have conducted the simplest and most common investigation beforehand to discover that its own address was on a watch list for suspected phishing threats.
But not these guys. In fact, the top IT guy was one of the three insensate senior executives at the company who sold $1.8 million in Equifax stock within hours of discovering the breach. Apparently losing a colossal amount of private customer information wasn’t enough. These clowns rushed to their brokers and quickly offloaded a couple of million bucks in stock, which, Equifax subsequently explained, was only a small percentage of their shares and had no relationship to the breach because … wait for it … they “had no knowledge that an intrusion had occurred at the time they sold their shares.”
Call me dull, but I would think that if my company, which ranks among the largest credit reporting agencies in the country, just allowed the worst breach of consumer information in history, the chief financial officer and the top IT guy would know about it. Especially if they are being compensated so handsomely that 2 million dollars represents “only a small fraction of their holdings.”
The simple and obvious technology mishaps are inexcusable and should be punishable by actual jail time. Both the CFO and CIO reaped an immediate cash “reward” while 143 million consumers have to change their credit cards, passwords, sign up for identity theft and credit monitoring services and still will be unable to rest comfortably knowing that their identities remain at risk. But what will the consequences be for these careless officers? As of today, none. As of today, there is no personal liability that accrues to any of these company officers for a cybersecurity breach.
And it gets worse.
Equifax waited six weeks to disclose the breach publicly which allowed the perps plenty of time to assimilate all of that data into their destinations and use it while the victims went about their normal day-to-day, unaware that their personal information had been compromised. Notification delays like this are inexcusable and should be criminal. But unbelievably, there’s even more.
Not only does the company have the audacity to offer you a new website that will let you check to see if your information was compromised, but it wants you to enter your last name and the last six digits of your Social Security number to do so. In addition to this slap in the face, it is inviting you to sign up for its “TrustedID Premier” credit monitoring service, which — if you can prove you were a victim — will be no charge for the first year.
Not only is that obviously inadequate, since hackers can exploit stolen personal data for many years, but it gives the company a lucrative database of possible customers to be sold continuing subscriptions for the service after the year is expired — at $19.95 a month! In fact, enrollment in the service requires you to provide them with a credit card number, which they will use to automatically bill you once the free trial is over.
Assuming of course that you have any credit cards or credit left after the breach and that you are as stupid as the Equifax guys think you are, the final indignity is found in the terms of service, which state that enrollees, by signing up, waive their right to sue Equifax and waive all other legal rights including participation in a class-action suit against the company.
It is clear that companies like Equifax are unwilling and/or unable to provide themselves with appropriate levels of cyberthreat defense. We know this. We talk to hundreds of them every month. New York State finally bit the bullet and instituted a set of fairly rigid regulations this past March that force anyone doing business in the State of New York to comply or be fined, and suffer escalating consequences for noncompliance. I am certain that mostly every other state will follow New York’s lead and implement similar regs.
But this now has to happen at the federal level. If there were harsh federal penalties for the kind of sloppiness and stupidity that Equifax demonstrated, all companies will get their cybersecurity act together and start doing the right things. These things include technology, process, education, training, policy, governance, standards and guidance. They’re not rocket science, simply the stuff you need to run any competitive business enterprise today.
This time it should be different. This time, instead of talking about taking action, our illustrious lawmakers will likely climb furiously to the very front of the bandwagon and start writing legislation that will get pushed through the House and Senate in time for the midterm elections. I’m pretty sure no serious lawmaker is going to want to be seen being out of touch with 143 million Americans.
Steve King is the COO of Netswitch Technology Management.