As has been widely publicized in the media, and as the firm noted on a special website, Equifax, one of the "big three" American credit bureaus, suffered a serious cybersecurity breach that may have jeopardized significant personal information about 143 million Americans, in addition to the credit card information and dispute records of hundreds of thousands of consumers.
While media reports have been quite comprehensive, several significant questions remain unanswered. I contacted Equifax via email and Twitter, but was told that the firm has "no further information to contribute at this point other than what is in the news release," so I decided to share my questions with my readers as food for thought:
1. Why is the firm offering only one year of protection for those whose data was stolen?
We are many years into the era of cybercrime, and criminals who steal personal information already know to wait to use the pilfered data until the expiration of the free credit monitoring services so often offered after breaches. Equifax is offering one year of credit monitoring and identity theft protection -- shouldn't the firm be on the hook for a lot longer than one year? Doesn't the present offer sound like more like a ruse to loop in customers who will have to pay Equifax after their trial subscription ends if they want to be protected when it matters most? Worse yet, according to some reports, Equifax requires people to waive their rights to sue in exchange for the one year of protection.
2. Why should people whose data Equifax did not protect trust Equifax to protect them now?
To address the risk to consumers created by Equifax's cyber disaster, Equifax has offered the public its own credit monitoring and identity protection services. Shouldn't folks whose data was jeopardized by Equifax be offered the use of a different company's protection service? Is it really reasonable to expect people to want to protect themselves with a security offering from a firm that just jeopardized their data en masse?
3. Were people's PIN numbers compromised?
Equifax offers a security freeze service that allows people to lock their credit files, with a PIN needed for unlocking. While the PINs are hopefully stored hashed (i.e., encrypted using one-way encryption), a leak of the hash database could put the PINs at risk as well. To date, Equifax appears not to have provided any information as to whether the PIN database's security was breached. Can Equifax please clarify the status of this important information?
4. Why wasn't the breach reported to the public sooner?
Equifax claims to have "recently discovered a cybersecurity incident involving consumer information" but according to its press release it has known about the breach since July. The domain being used by Equifax to house the special breach information website -- equifaxsecurity2017.com -- was registered in August. If Equifax was aware of the breach in July, and if the pilfered data could be used for identity theft crimes, why did it not disclose the breach to the public sooner? Why did it register the domain in August, but not upload the site's contents until a week into September?
5. What exactly qualifies Equifax as "a leader" in protecting data?
In a statement released to the press, Equifax chairman and chief executive officer, Richard F. Smith, said, "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations." Now that Equifax has potentially suffered what may be the worst ever data breach as far as impact on American consumers, please clarify what Equifax was doing to make it "a leader" in protecting data. There is talk "on the street" that not that long ago the firm did not even have a CISO in place. Also, how exactly did so much data go out the door with nobody noticing?
6. Did Equifax executives sell stock after learning about the breach and before notifying the public?
Three Equifax executives sold almost $2 million of stock shortly after the breach was discovered -- and before it was announced to the public; an SEC filing shows that these sales were not pre-planned. According to The Guardian, Equifax claims that these executives had no knowledge of the breach when they made the sales. How exactly does Equifax know that? What type of formal investigation has been made into their actions to assure the public that Equifax executives did not trade based on insider information?
I await a response from Equifax.