Equifax is one of the largest credit reporting companies in the US, and it had a fews days ago gone public that hackers had stolen data of sensitive personal information on as many as 143 million people from the credit reporting firm. That’s data of almost half of the US population.
This is by far the biggest data theft in recent times, by any standards, from any company across the globe.
Lawmakers in the US are now looking at how much more should such data driven companies be held accountable, given the sensitive nature of the information they store, and decipher.
But from a communications point of view, how pliable is the argument by Equifax, that they are reporting the incident of such humongous proportions, almost late by 2 months or so?
Equifax learned about the breach on July 29 but didn’t reveal it for more than a month. The hackers stole credit card numbers of about 209,000 people and also got documents with personal information on 182,000 victims.
On the technical front, there are also so reports that Equifax’s data breach was the result of the company’s failure to patch a two-month-old bug in Apache Struts, despite multiple reports of the bug being exploited in the wild.
Equifax after the fall out of this incident, also offered a free year of credit monitoring known as “TrustedID Premier” to its consumers- but a careful read of the conditions revealed that those would be also giving up the right to sue over damages.
Some questions that come in mind in this issue are –
- Was there a deliberate delay on the part of Equifax, in reporting the data-theft to the public at large and to the authorities?
- If they say, they took time to discover the unprecedented volume of data stolen, what does it speak of the security systems the company had in place, that too, when the company’s business is on the bedrock of credit data of the public?
- What kind of information security audits do companies like Equifax, who own public data, go through? and how rigorous are these I sec audits?
- By having overriding conditions that the customer loses the right to sue, if he agreed for the one year credit monitoring, was Equifax blatantly exploiting the misery of the consumer, and trying to protect it legally, than really wanting to do good after the data got stolen.
- Can companies that thrive on data, not really be aware of such massive information leaks for more than a month? Is it really believable?
There are a volley of other such questions, that clearly point to, probably, a series of lapses on the side of Equifax.
On PR, image, reputation et al 