Equifax's big fat fail: How not to handle a data breach

The Equifax data breach impacting 143 million people was maddening enough. The follow-up response was even more maddening and will put Equifax in the crosshairs for months to come.

DON'T BREAK THE LAW

How not to verify a data breach (and why some really want you to get 'pwned')

Whatever you do, don't break the law...

Read now

Equifax disclosed that hackers exploited a vulnerability on its website to access files, which may have included data such as social security numbers, birth dates, and addresses. Simply put, there was enough data swiped from Equifax to start a new identity, hijack a few, and sell information on the black market. What's more jarring is that folks (think your kids) without any credit history were exposed. The data breach occurred between May and July.

And given that Equifax is one of three keepers of your credit score, there's a little emotion involved. In the US, you are your credit score. The credit score is the lubrication of the economy and determines whether you can get a mortgage or car loan or that home equity line.

So, given that backdrop, emotional connection, and more than a month to disclose the breach and figure out a response, you'd think Equifax would be able to rise above complete s**t-show on the report card.

Nope.

Equifax failed big time, and given that the stock has been pummeled, it's worth asking for a few executive heads to roll. What's more galling about the Equifax response is that there has been a template for handling breaches. The Home Depot, Target, and a bevy of others have followed the playbook. Equifax had a tougher breach to handle, but it's not like it's the first data breach victim in the history of the world.

The post-breach playbook roughly goes like this: Disclose early and often; be transparent, outline the fixes and findings; and toss in identity monitoring for a period. Also, apologize and remedy the security issues.

Read also: Massive Equifax data breach exposes as many as 143 million customers | Security firm Mandiant said to be helping Equifax in hack aftermath | CNET: Find out if you were one of 143 million hacked

But the good news for everyone not involved with Equifax is that there's a new template of what NOT to do. Let's go through the screw-ups.

DON'T create a security information site that isn't on your corporate domain. Equifax gets whacked by hackers and what does the company do? Create what appears to be a phishing site. You can't make this stuff up. Equifax sent customers to https://www.equifaxsecurity2017.com. That site isn't on the Equifax domain, and you think twice before even going to it.

DON'T ask for more consumer data that you haven't proven you can protect. Equifax asks for the last six figures of your social security number and last name to determine if you may have been impacted. The last six digits of your social security number only make it easier to guess the first three. Gee thanks.

DON'T offer a tool that appears to determine if you're safe or not, but doesn't hold up to scrutiny. Our own Zack Whittaker entered "test" as a last name and "123456" and was found to have been impacted by the breach. Replies to Whittaker's tweet note the random output from the Equifax tool.

DON'T give vague answers after collecting that data. After you cough up more data Equifax doesn't know how to protect, you get this notification:

DON'T enroll me for an identity service that you already own. Once you enroll for this TrustedID service, you find out Equifax owns it. At least splurge for a rival's service.

DON'T tell me you can't provide a damn calendar reminder notification. Once you click to enroll in Equifax's service, you get this gem...

Translation: Equifax doesn't have the technical knowhow to send you an email reminder. Again, all the burden is on the consumer/victim.

DON'T look clueless on social. Equifax delivered a canned response on Twitter apologizing and understanding the "frustration this causes" in the middle of a tweetstorm.

DON'T legalese the people impacted by your security debacle:

Add it up and Equifax looks like a company with the following:

• A massive database with personal information that's not protected well.
• Little technology knowhow.
• A need for more regulation -- since it has more valuable data on consumers than Facebook or Google.
• Class action lawsuits on the horizon.

Read also:

• Locky ransomware: Why this menace keeps coming back
• Encryption: In the battle between maths and politics there is only one winner
• Expanded state hacking powers make a stealthy return to German agenda
• Ransomware attack: How a nuisance became a global threat
• Ransomware attack: The clean-up continues after WannaCry chaos
• Congress introduces bill to stop US from stockpiling cyber-weapons
• Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you
• Research: Companies see mobile devices as big cybersecurity threat
• Governments and nation states are now officially training for cyberwarfare: An inside look

• Video: The impending cybersecurity disaster of industrial control systems
• Devastating attacks to public infrastructure 'a matter of when' in the US
• Understanding the military buildup of offensive cyberweapons
• Video: The Internet of Insecure Things, and why we're still in denial
• Cybercrime Inc: How hacking gangs are modeling themselves on big business
• Why ransomware is exploding, and how your company can protect itself
• How the Dark Web works