Equifax: How Not to Handle a Data Breach

Jackson Lewis, Associate Editor

Equifax sign

ATLANTA -- News broke recently that hackers gained access to sensitive personal data of up to 143 million Americans through credit reporting agency Equifax.

The data in question includes Social Security numbers, birth dates and home addresses—everything the “bad guys” need to steal someone’s identity.

Hackers also gained access to an unspecified number of driver’s licenses, credit-card numbers for 209,000 customers and credit dispute documents for 182,000 more. Aside from assuring customers that the company’s “core consumer or commercial credit reporting databases” do not appear to be affected, Equifax has not given more details on what type of data was accessed.

If ever there was an example of how not to handle a data breach, Atlanta-based Equifax has provided it. The company waited too long to notify the public of the breach. Bloomberg reported that three executives sold stock in the company shortly after the breach was discovered over a month ago. And the company is facing a class-action lawsuit accusing it of being too lax with security in the interest of saving money.

Also, the website Equifax has released as a tool for consumers to check if they may have been affected by the breach has not performed well or been well-received.

Click through for more details on what happened to Equifax, how it botched the response and what convenience-store operators can learn from this debacle …

Too little, too late

Credit card security

The breach took place between mid-May and July 2017, according to a press release from Equifax. The company discovered the unauthorized access July 29. Although the company claims it immediately reached out to law enforcement and a cybersecurity firm, it waited six weeks to notify the public.

According to the Georgia Personal Identity Protection Act, Georgia state law requires that any business that is breached and loses personally identifiable information must notify affected Georgia residents “as soon as possible.” This can be through mail, telephone or electronic means, such as email. If the breach is large enough—which it is—public service announcements will suffice.

But according to Equifax, the company has not yet reached out to those affected in Georgia, or anywhere else in the United States, for that matter. While the Sept. 7 announcement could be considered a public service announcement, it has come far too late and does not specify who is or is not a victim. The release states that Equifax “will send direct mail notices” to those affected, meaning it has yet to do so. The company did not give a timeline of when these mail notices will be sent.

It just looks fishy


Days after the breach was discovered, three high-level executives, including John Gamble, chief financial officer; Joseph Loughran, president of U.S. information solutions; and Rodolfo Ploder, president of workforce solutions, together sold a total of nearly $1.8 million in company stock, according to Bloomberg.

An Equifax spokesperson told Bloomberg the executives “had no knowledge that an intrusion had occurred at that time.” While the explanation is plausible, the timing of the sale is inopportune, to say the least.

See you in court

Complaint filed

A complaint filed in Portland, Ore., federal court alleges that Equifax chose to cut costs instead of spending more on cybersecurity measures to combat data breaches such as this.

The case was filed by Olsen Daines PC with Geragos & Geragos, a firm known for “blockbuster class actions,” according to Bloomberg. The lawsuit seeks as much as $70 billion in damages nationally.

Not very TrustedID

Equifax website

Equifax has directed those interested in learning whether or not their information was part of the breach to a website. The site lets visitors know if they are affected by the breach and allows customers to enroll in TrustedID Premier, a security service run by Equifax, Experian and TransUnion, two other credit-monitoring firms.

But the website was available only intermittently the day it launched, according to Brian Krebs of online news source Krebs on Security. Also, the site asks visitors to input the last six digits of their Social Security number, information many are skeptical about handing over in light of the data breach.

Watch and learn

Consumer trust

Equifax’s failure is not just that it did not handle its own security or that of its users well. As a credit-reporting agency, the company automatically assumes a level of responsibility beyond most businesses to keep its customer information safe. Not only did it fail to protect its customers, but it also failed to properly notify them, leaving millions uncertain about their financial security, according to several reports.

No c-store chain assumes the same level of responsibility with customer data, but the convenience industry still shepherds sensitive consumer data—namely credit-card numbers—every day. Learn from Equifax’s bad example. Make it a point to invest in cybersecurity before, not after, disaster strikes. If disaster strikes anyway, notify those affected quickly and ensure they have the proper tools to defend their identity from bad actors.

Even well-handled data breaches make companies look bad to the public, but damage to a company’s image can be mitigated through careful planning and risk management.