How Not To Handle A Data Breach

New revelations about the Equifax breach are not pretty

In an article I posted on 8 September, I expressed my thoughts that, based on the information I had at the time, Equifax handled the breach well, at least from a Public Relations perspective.

In that article, I referred to Terry O'Reilly's podcast, "When Brands Apologize: Sorry Seems To Be The Smartest Word." An important part of the podcast was that the apology must be sincere.

Image of Terry O'Reilly's Podcast

Brian Krebs has a new article, "Equifax Breach Response Turns Dumpster Fire" which contains some allegations that make it clear that the apology was likely insincere.

Some of the key points from Brian's article that indicate insincerity are:

  • Site appeared to not be accessing real data in performing check
  • Sale of stock by Execs prior to public announcement
  • Class action waiver as part of credit protection sign-up
    • Equifax said waiver would not apply to this incident

The database seemed to identify attempts to enroll with a fake username and last six digits for me, with desktop at least.

Trying to check on username qwerty with a last six of 654321, Equifax identified that the account was not impacted:

Equifax Fake Name Check 1

Response related to these credentials (not compromised):

Equifax Fake Name Check 1 Response

Wondering if they had just put some simple data filters in place to catch obviously bogus names, I tried a slightly more sophisticated fake name and last six.

Username aselruiy, last six 172950 input.

Equifax Fake Name Check 2

Server response (not compromised):

Equifax Fake Name Check 2 Response

I was unable to complete the Captcha on my iPhone, even though the iOS is up to date, so I was unable to test whether I get a different result on mobile at this time.