About a week-and-a-half ago, Equifax, the credit reporting and data security firm that is one of Atlanta’s leading companies, announced that it was a victim in one of most significant data breaches ever.
And then things got even worse.
First, the breach itself apparently exposed the Social Security numbers, dates of birth, names and addresses of 143 million people in the United States. Those key pieces of information are the kind cyber-crooks look for to steal identities.
The company bungled its initial steps of sharing the bad news, foreshadowing the pummeling it’s now taking.
Consumer advocates were enraged at how the company informed the public, releasing the news at the end of the day when it’s less likely to make the news — and more than a month after the company learned of the breach.
Then financial reporters uncovered that after the company found out about the breach, but before it informed the public, three senior executives sold stock, cashing in before their shares took a dive.
A company spokesman later said the executives didn’t have knowledge of the breach before they sold, something that’s hard to believe. Senior leaders, including the chief financial officer, didn’t know about the biggest kind of crisis their company could face?
The respected online site MarketWatch was particularly brutal in its assessment, noting that the company was quick to offer some spin to its bankers:
“Those fishy sales and the openness to investment banks amid public silence suggest executives’ main concern was limiting damage to Equifax’s valuation and their own investments” it said.
Then the situation got even worse.
According to the AJC’s J. Scott Trubey, who told me the company has “hardly responded and only by e-mail” to his questions:
“Equifax has offered victims a free year of credit and identity protection services and vowed to upgrade security.
“But some slammed the company for fine print in the free protective services that would seem to lock consumers into binding arbitration. Equifax said the arbitration clause only applied to problems that might arise from the use of the free products, not the liabilities that result from the hack.”
The company then revised its plans.
Adding to the problems, call centers set up by Equifax apparently were unable to handle the questions from consumers; its web site didn’t work well and lacked information.
All of this from a company that has deep Atlanta roots and operates a business based on the quality and security of its information.
Next, former Georgia Gov. Roy Barnes and a team of lawyers filed a lawsuit against Equifax, forming the vanguard of what will inevitably be a long line of legal attacks on the company.
We’ve seen a prominent Atlanta company face a breach before.
About three years ago, The Home Depot announced it had been breached. In that incident, about 56 million credit card numbers were hacked.
Home Depot and Equifax differ in important ways. A consumer giant, Home Depot directly faces customers and markets to average people. Equifax is a data company that offers sophisticated information products to businesses, putting them at least once-removed from the typical consumer.
Perhaps that explains the difference in each company’s reaction to their data breaches.
Home Depot announced it had been breached on the same day it found out, and it apologized to its customers that same day. Within a week, it promised its customers that they would not be responsible for any fraudulent charges, and consumers got another apology – from the CEO. Home Depot also set up a call center to handle 50,000 calls a day, even though it never got more than about one-fourth of that, according to Fortune magazine.
To be fair, Home Depot had periods of difficulty where the company shared little information about what was going on.
Equifax doesn’t have the same kind of direct consumer connection. But it also deals routinely in highly sensitive information. It ought to have been prepared for this, it seems.
According to Justin Zeefe, co-founder and chief strategy officer of the cybersecurity firm Nisos Group, breaches throw a company into crisis.
“It can get very messy, very quickly,” he said in characterizing his work with companies trying to figure how to respond.
Zeefe was careful not to talk specifically about any of his clients, but he offered a look at what can happen when a company has a data breach.
Companies typically find out about the breach because of unusual activity on their network. In some rare instances they are informed by the FBI or another federal agency because their data has been spotted for sale on the dark web.
Then they realize that the company faces potentially huge financial costs and major damage to its reputation.
He noted that a breach would be much harder on a data company like Equifax than on a retailer.
The company’s first step has to be to end the hacker’s access to its data, and to be sure it has, Zeefe said. After that comes a forensic examination of its network to assess the damage.
That’s when things can get hard and corporate politics come into play. After all, someone is ultimately responsible and jobs can be at stake, he said.
“It shouldn’t take months or even weeks to report,” he said.
Equifax faces the additional challenge that the other credit bureau companies face: they are a favorite punching bag for consumers. And now Congress has gotten into the fray, and some are calling for greater regulation of the industry.
It’s worth noting that credit bureaus provide crucial lubrication to the American economy. For example, we go to a car dealership, pick out a new ride, apply for the loan and drive off within minutes. Equifax, TransUnion and Experian are why that’s possible. They let the lender know who you are and why you’re a good credit risk.
If buying a car, or getting credit, were harder and took longer, business wouldn’t work as fast or conveniently.
So for the sake of our economy, and for Atlanta, Equifax better find a way out of this mess and figure out how to avoid future breaches.