Lessons learned for small businesses from the Equifax data breach
Data on 143 million consumers was stolen from Equifax, which is estimated to be about 57% of all U.S. adults. The massive data breach was announced by the company, one of the three credit reporting agencies in America, on 9/7/17. According to Equifax, the breach occurred from mid-May 2017 through July, 2017. The announcement came 41 days after the discovery of the breach. Early comments and speculation imply the intrusion was through the website software used by the company. There are no reliable reports of who the criminals are, yet.
While there have been larger data breaches, this one is more severe due to the breadth of confidential information stolen, including:
· Social Security numbers,
· birth dates,
· addresses and, in some instances, driver’s license numbers
Even small businesses can learn lessons from a data breach that is not in their industry. Consumers are expressing their frustration regarding the loss of their data. Specifically,
· People feel the 41 day delay to inform impacted customers was unacceptable.
· Customers expect fast, effective support after a breach. There have been numerous reports on poor customer experience. The customer service website was frequently not functioning correctly, information returned did not meet their needs, and 1 year of free credit reporting is not felt to be sufficient.
· Social media continues to play a big role in how consumers react to data breaches. There is extensive damage to Equifax’s reputation, with further negativity surrounding the selling of $1.8 million of stock by 3 executives 3 days after the breach was discovered. One of the 3 was the CFO; it is odd that a key senior executive was not informed for more than 3 days after discovery.
What you can do
The ramifications of this massive data breach will be felt for months and potentially years. Businesses as well as consumers may be impacted.
· If your business using credit reports of consumers, be sure you have a strong procedure to verify that your customer is really who they say they are. Train your staff to review credit reports to ensure the activity makes sense for that the customer; if not, confirm with the customer the information on the credit report.
· Expect more consumer customers to have credit freezes in place; this may delay your ability to grant credit to worthy customers.
· Have your cyber specialist review your website application to ensure all patches at up-to-date and you have a rock solid protocol for future website patch management. Many cyber security experts say that website software is one of the most common avenues for illegally accessing data now days.
· Review your PR plan that you will use when you have a data breach. Don’t try to “wait and see” what will be needed; work with an experienced business continuity PR firm so you have a strong plan in place.
· Talk about this data breach and the impact to your employees in the context of why it is so important they follow your cyber security measures to help prevent data breaches.
· Here is a link to the Federal Trade Commission guidance on what consumers can do to protect themselves on this data breach.
About the Author - Carolyn Schrader is a seasoned cybersecurity professional and founder of the Cyber Security Group Inc., providing corporate cybersecurity services to high profile clients.