A couple of days ago, Consumer Credit Report Agency Equifax, revealed that they had been breached, exposing personal information of about 143 million people in the U.S. and an undetermined number of Canadians and UK residents.
Full disclosure: I used Equifax a few years ago to check my credit score. I’ve since used their Potential Impact website to confirm if I’m at rise. Seems I’m not. (though I did check 3 times as there have apparently been varying results for the same SIN numbers).
Now, I’m not a security expert. I don’t know the legality of all that’s happened. I’m just the guy interested in how this builds relationships. And I have to say, Equinox is being a bad, bad friend.
Just some of what I’ve read and how it translates by public perception:
- 40 days – Equifax revealed in a statement on Thursday (Sept 7) that the breach discovered on July 29 could expose the personal information of about 143 million people in the United States. That’s a span of 40 days from discovery to transparency.
Public Perception Translation: They kept this secret for 40 days while they trying to figure out what to do. - A time for signups – On the web page to find out if you’re impacted by the breach or not, Equifax takes the opportunity to “upsell” you to their free identity theft protection and credit file monitoring TrustedID for one year. American only it seems, and you’d have to pay after that year. This is a service that monitors if your information (you know, that stuff that was just stolen) is used to open credit accounts or shows up on seedy websites.
Public Perception Translation: They’re taking the opportunity to sell “identity theft protection” when their ability to protect is a little suspect.
- Sue or not to sue. Apparently, in the terms of use, people who sign up for TrustedID Premier security service waive their rights to be part of any class-action lawsuit. But there’s also confusion whether that’s Equifax itself or TrustedID (which Equifax owns). Again, I’m not a lawyer.
Public Perception Translation: They’re covering their ass from getting sued while disguising it as “help” - Timing is interesting. Three executives sold their stock just a couple of days after Equifax discovered the breach, for about 1.8 million bucks. Equifax has stated that the execs didn’t have any knowledge of the breach when they sold the shares.
Public Perception Translation: Their executives cashed in before it went public.
There’s still a lot of investigation to be done. What was hacked? How many non-Americans were impacted? So regardless of where this will all land, Equifax looks to be eroding one of the customer relationship cornerstones of their industry: trust.
This was their other apology:
Um, that was painful:
- “I want to take a few minutes to talk with you…” – this isn’t a 2-way “with you” conversation. More “at you.”
- “Make sure you have the facts” – trust isn’t their friend right now so I’m not sure how well the facts will be believed.
- “Let you know what we’re doing about this event.” – OK, we’re listening.
- “The unauthorized access occurred between mid-May and July” – OK, but why did it take until September to tell the public?
- “A disappointing event.” – WTF?! That might be a wee bit downplaying it in the eyes of your customers.
- “I deeply regret this incident and I apologize to every affected consumer and all of our partners.” – Good to apologize but it’s not clear if he’s apologizing that it happened or Equifax’s failure in it.
- “Taking an unprecedented step of offering every U.S. consumer in the country, a comprehensive package of identity theft protection and credit file monitoring at no cost.” – OK, a couple of things.
- What’s unprecedented? That they are offering something for free?
- Nice to hear U.S. consumers are covered. What about Canadian and U.K.?
- This is actually for a one year term. Oddly not mentioned.
- A few points for actually doing a video with the CEO, regardless of the fact it’s 40 days after the event.
At a time when their customers are probably panicked they could be stolen from, anything form identity to bank accounts, this didn’t come across as the most timely and heartfelt “we screwed up, we’re sorry, we’re making sure it’ll never happen again.”
Regardless of what Equifax said in their statement or the actions taken by their organization, perception will hurt them the most. Right now, they look like a friend who you trusted with some of your most valuable information, that screwed up, hid it from you, is more interested in themselves than you, took advantage of the situation and doesn’t feel they have anything to truly apologize for their role in it.
TrustedID sounds kinda ironic right now.
I like Jimmy Kimmel’s big reveal better.
https://youtu.be/AKHOZQJVBaM
UPDATE: Equifax has since released a report around this incident. If you’re so curious, check it out: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach (not a very snappy title but it gets to the point)
