Equifax UK - How not to manage the communications of a cyber breach

Posted on 13 October

 

Raising awareness for European Cyber Security Month, Charlie looks at the Equifax data hack, as an example of how cyber security incidents should not be handled.

One of the things I noticed during my research when developing BC Training’s Managing and Preparing for Cyber Incidents course, was the lack of guidance on how to respond to a cyber incident. There was lots of information on how to prepare and react from a technical point of view, but little on how to manage the strategic or the crisis management response, and even less on how to manage communication after a cyber breach. I often find the best way to learn incident management is to look at how others handle crises and see whether I would manage them differently, as well as reading the opinions of those commenting on the incidents. So, for this bulletin I thought I would look at how Equifax, who has recently had to admit to a data breach of their UK customers, portrayed the breach on their website and the lessons we can learn on how not to manage the communications associated with a cyber breach.

Equifax is a credit score management company, who had a major data breach in the USA and lost a large amount of their customers’ sensitive data. One of the interesting alleged facts of the event was that they took a month to tell the public about the breach, but a number of senior managers sold their shares in the company three days after finding out the breach had happened! Equifax initially claimed that UK customers were not affected, but within the last week they have had to admit that a total of 694,000 customers in the UK have had their data stolen. Last month the company’s original estimate was fewer, at nearly 400,000 and they denied that stolen UK data included any addresses, passwords or financial information. However, they have now revealed that data belonging to 15,000 customers, who had their Equifax membership details accessed, did include passwords and partial credit card details.

Equifax has done the right thing by putting a banner on the front page of their website, so you can immediately click thorough to the information on the data breach. The banner is pretty small, but you wouldn’t miss it. What is more interesting is that it has been imported straight into the existing website, so they are still selling through their website, probably with no change prior to the breach being announced. Perhaps this is appropriate due to what they are selling, but I think organisations should consider whether they should tone down their sales or even stop sales totally during a crisis.  

The tone of the information on the breach is interesting. It seems to have been written by neither a lawyer nor a communications professional, and as a piece of public information is very contradictory. The first part of the website is very vague in dates; “In early September 2017, our US parent company announced it had been the victim of a criminal cyber attack back in May”. As a reader, this has alarm bells ringing; the breach took place in May, but they didn’t realise until September! The vagueness in dates contradicts with the information later in the piece saying “12,086 people have had their email address associated with their Equifax account in 2014 accessed. 14,961 people have had their Equifax membership details from 2014 accessed.” They know exactly down to the last number those affected, but they can’t say when they found out about the breach.

Equifax try and portray themselves as the “victim of a criminal cyber attack”, so the blame is placed elsewhere, rather than saying they were hacked because, as alleged on the BBC website, they had not patched their system even though they were told to do it a number of times in March.

There are two lessons here. Firstly, you need to get a professional person to write the information displayed on your website. In this case, it looks like the website administrator has been asked to write the piece. Secondly, with the number of hacks going on, can you really portray yourself as a victim when you should have taken appropriate steps to protect yourselves? The tone of the piece is rather reminiscent of Tony Hayward’s “I want my life back”, we have been hacked, we are not really concerned about our customers, but are annoyed that this incident is causing us lots of hassle and we just want to get on with making money. Using phrases like ‘This time-consuming and technically difficult analysis” when they talk about identifying customers to send letters to, again seems to tell the reader they feel as though they are having to work very hard, not acknowledging the fact that their customers have the time consuming job of protecting themselves against the loss of data.

In the same vein, there is no apology on the website for the hassle this has caused to their customers and it is their security which has been put at risk by the loss of data. There is also no visibility of senior managers or the CEO, who have not signed off the piece.

The impression I get from the response by Equifax is of a company who cares much more about themselves than their customers. Data breaches are going to happen and could happen to your organisation. Do you have procedures in place to manage the communications element and do you have skilled personnel or advisors which would stop your organisation making the same mistakes as Equifax?

Read more from Equifax here: www.equifax.co.uk/incident