The Best Response To A Data Breach

Equisoft's response to their massive data breach, how to see if you were affected, and how to enroll in protection.

On 7 September, 2017, Equifax, one of the three leading U.S. Credit Bureau's, announced a data breach potentially affecting 143 million Americans. With the U.S. population at about 326 million that's almost half of all Americans. Pretty huge.

This post isn't about the breach itself or to say "shame on Equifax." It's about what I feel they did right in the aftermath, how you can see if your records may have been breached, and how you can enroll in their free protection services.

Announcement of the Equifax Breach

Have a look at CEO, Rick Smith's YouTube video announcing the breach:

What Rick Smith said in his model statement on the breach:

  • When the breach was discovered (Jul 29th)
  • Equifax acted immediately to stop the intrusion (of course, but good to state it)
  • Equifax engaged a leading external firm to investigate the breach
  • When the breach occurred (between mid-May and July)
  • Core credit reporting databases had not been breached (no evidence of that at this time, anyway)
  • He deeply regrets incident and acknowledged that it is very serious
  • Apologized to every affected consumer and to partners
  • Offered every U.S. Consumer in the country a free "comprehensive package of credit theft protection and credit file monitoring" at no cost
  • Opened special help line for consumers

He also had this well crafted statement about the breach:

"Equifax will not be defined by this incident, but rather, how we respond."

Equifax's response to the data breach reminded me of one of Terry O'Reilly's Under the Influence podcast episodes. "When Brands apologize, sorry seems to be the smartest word."

Let's hope, when a breach occurs at our work, it won't be as widespread, will be detected and contained much more quickly, and our leaders will have the intelligence and foresight to handle it as Equifax is doing it. At least on the Public Relations and Customer Relations fronts, Equifax is a model to follow.

How to see if your account was compromised

Equifax has set up a site to let you see if your account may have been compromised.

  • Go to the site,, and click on Potential Impact.
  • Click on Check Potential Impact
  • Enter your last name, last six digits of your Social Security Number, and click the "I'm not a robot" check box
  • Click Continue

Check Equisoft Database Input Form

For me personally, the database quickly returned a result saying I may have been compromised.

Equisoft Breached Record Example

My account being one of the ones possibly compromised, I was offered the free protection. Of course, I clicked Enroll.

Equifax Breached Record Enrollment

I have to continue the process on 13 September.

I hope you weren't among the almost half of the U.S. population affected. If you are, it is a good idea to enroll in the service offered.

Brian Krebs' article has more details on the breach. [update 9 Sep 2017] I read in Brian Krebs' article that this protection will be offered only for one year. That part's not cool. It should be offered for life.

[update 11 September 2017]Well, this is going downhill fast. Brian Krebs put out a follow-up article indicating that the site set up to register users is not really checking any database. Different results are obtained for the same account depending on whether it is checked with a desktop or mobile device. Also, when Brian tested by entering a fake account, he received the same messages.

I can understand, the logistics of having hundreds of thousands of users sign up for a service at once requires some planning. However, if this is just a front to buy more time, that's not cool.

The company should simply be up front and say "It is taking us some time to set up the infrastructure to handle the expected huge influx of requests." or something to that effect.

Also, Equifax does have a huge infrastructure in place already, so it shouldn't be too much of a stretch.

I'm doing a new post on How Not to Handle a Data Breach instead of having two posts in one here.