- The Equifax breach is already one of the largest known corporate data breaches in U.S. history, affecting up to 143 million Americans.
- Despite seeming counterintuitive, breached organizations should offer as much detail as possible, refrain from firing anyone immediately, and keep talking about the incident after it is over.
By now, most know of the data breach at credit-monitoring firm Equifax. Revealed September 7, attackers compromised a software flaw in the Apache Struts web application framework to access the personal and financial data of up to 143 million Americans, likely more than half of the U.S. adult population.
Many have commented on how Equifax could have avoided the breach, but few know all the factors that ultimately led to it. Until a full investigation takes place, blaming lax software patching, ineffective data exfiltration prevention, or inexperienced IT security management (as some have) is premature and trite.
Yet, it’s not too soon to examine the mistakes Equifax has made in its public response, which has been widely panned by industry observers for, among other reasons, offering too little detail, confusing victims with unclear and sometimes nonfunctioning credit-protection recourse, and even using confusing legalese to encourage victims to surrender certain legal rights involving recourse.
Below are three somewhat counterintuitive ways Equifax could have improved its breach response.
- Offer as much detail about the incident as possible, as quickly as possible. This is little more than basic crisis management. For an organization like Equifax, a data breach is not only a costly business disruption, but also a breach of the public’s trust. Beyond stopping the intrusion, there’s no bigger priority than convincing the public (and especially shareholders for a public company like Equifax) that the organization knows what happened, and why it happened, and is working diligently to fix the problem and prevent future ones. Yet, when it announced the breach, Equifax declined to share when or how it was breached, or how long the event lasted, even though it had already been investigating the breach for weeks. This led to more pile-on public criticism.
Instead, as soon as a breach is discovered, part of the organization’s breach response plan should include detailing every who, what, when, where, why, and how of the incident, releasing as much information as possible as quickly as possible. If details are unclear, tell the public what the worst-case scenario is. This may seem unwise, but the public in general – and the security community especially – will appreciate the transparency. Plus, so many breaches have turned out to be worse than originally described. If further investigation reveals the breach isn’t as bad as it seems, that ultimately will help the organization’s image as it recovers later on.
- Don’t fire the CISO/CTO/CIO/CEO, at least not right away. Equifax announced that its chief security officer and chief information officer had “retired” September 15, and its CEO did the same this week. Their careers were sacrificed in order to reduce negative sentiment among the public and the media. Many companies employ public scapegoats in scandals, so it’s no surprise here. However, by removing three of its top leaders, it’s hard to argue that the organization is in a better position to effectively handle the incident and accelerate its recovery.
A breached organization shouldn’t give in to the temptation to fire key staff. Instead, announce that specific, key leaders are personally handling the incident, and that organizational roles and responsibilities related to information security will be reevaluated following the conclusion of the remediation and investigation. Share which third-party experts are assisting and what role they will play. If the investigation finds that key leaders didn’t do their jobs and deserve to be let go, or there’s immediate proof of negligence, so be it, but an organization shouldn’t deprive itself of its best assets in a feeble attempt to score favorable headlines that will quickly be forgotten.
- Keep talking about the incident, even after it’s over. Most organizations try to resolve a breach quickly and then promptly forget it ever happened. That’s a mistake. Any company that can be breached once can be breached again, and learning from a breach means keeping it in living memory.
Instead, the organization should use the incident as an opportunity to explain why it was an attractive target, and how it works to improve its security practices on an ongoing basis. This serves to rebuild trust with the public and creates the impression that the organization actually learned its lesson about the importance of information security.
These are important lessons not just for Equifax, but any organization responding to a data breach. Like other breach victims before it, Equifax will learn that, long after the attackers have disappeared into cyberspace, a successful breach response effort goes on for months and years to come.