Since news broke on Thursday that Equifax (EFX) had the personal data of some 143 million Americans — including names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers — stolen, things have stuck to the script with depressing predictability.
Equifax’s blows a larger hole in our collective privacy than most data breaches. But in most other ways, it’s the same old sorry story.
Once again, a company collected data that’s both sensitive and often mandatory to function in much of American society while allowing us little oversight of its use. Then it managed to lose control of this information. It’s now trying to make up for that with the standard remedy of a year of free identity-theft monitoring services.
And once again, it’s not acting like we need to know much about how it got hacked.
July’s news in September
Equifax’s news Thursday was not news to anybody in the company involved in the case. The company learned on July 29 that strangers had been poking around its site since the middle of May.
Equifax told the rest of us about this Sept. 7 — almost six weeks after July 29. It’s also more than two weeks after the company’s Aug. 22 registration of the equifaxsecurity2017.com domain it’s using to provide customers with information about this debacle.
(In case you were wondering, the domain equifaxsecurity2018.com already exists. Somebody registered it privately Thursday afternoon; we can only hope it’s not Equifax.)
Equifax’s press office did not return two phone calls, and its mail server blocked an email I sent Friday morning.
The company’s FAQ, however, offers this explanation for the delay:
“Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.”
Unfortunately, Equifax is only playing to type in taking its time to notify its customers that their data’s now in the wild. Delayed disclosure of data breaches was enough of a problem in 2014 to push senators to introduce two different bills to protect customers; Congress being Congress, it passed neither and has since moved on to other things.
On the other hand, maybe if Equifax had dawdled even longer, it might have had time to reconsider a fine-print clause requiring customers to waive their right to join a class-action suit. After being called out by New York state attorney general Eric Schneiderman and many others, Equifax updated its FAQ to clarify that taking its credit-monitoring service waives no class-action right to sue over the data breach.
Will we know what went wrong?
The worst may be yet to come. I don’t mean only in the potential financial risks to 143 million Americans — as in, 44% of the total U.S. population as of last July. I also mean in terms of whether Equifax shares its lessons learned.
The company has offered a vague explanation of the hack — “a U.S. website application vulnerability” let unidentified hackers sneak in — and said it’s hired “a leading, independent cybersecurity firm” to report on what went wrong. But it hasn’t said it will publish those findings.
The traditional script after a cybersecurity screwup is to keep any such findings secret. That may keep the company’s lawyers happy, but this silence doesn’t help other companies to adopt safer practices and teaches customers that, shucks, hacking just happens.
And it’s the polar opposite of how we handle accidents in transportation, public health and other industries.
“These things all have mandatory disclosures around them so we can all know about it and the people who built those systems can learn from it,” Veracode co-founder Chris Wysopal observed in a 2016 talk at the Collision conference.
The cybersecurity-defensive-crouch version of that response, he mocked, is less helpful: “The plane crashed; this is how many people died; how it happened is going to be a secret.”
Wysopal hasn’t seen a big push towards transparency since then. “I haven’t seen much push for breach information disclosure,” he wrote in an email Friday. “The ‘what went wrong’ is kept to a minimum.”
The only firms that do document what went down, another security expert noted, are those already in the security business. Chris Vickery, cyber risk analyst at Upguard, pointed in an email to a detailed report on a site malfunction that the web-security firm Cloudflare posted in February as “a great example of how an incident should be laid bare and all the details shared.”
“I would really love to see such transparency from Equifax,” this data-breach detective wrote. But he’s not optimistic. Neither am I.
Best to expect bland “it’s been handled” reassurances—after which we can learn nothing and then repeat the whole miserable cycle in a year when some other company fumbles another hundred million or so people’s records.
More from Rob: