On Thursday, consumer credit rating agency Equifax (EFX) announced what may become the most economically damaging hack in U.S. history, exposing the personal data of nearly half of all Americans.
The breach itself was bad enough, with class-action lawsuits and Congressional investigations on the table almost immediately. But the company’s haphazard response on myriad fronts has given the strong impression of inept leadership, leading security experts like Brian Krebs to refer to the hack’s aftermath as a “dumpster fire.”
Here’s a quick outline of what will likely become many entire business textbook chapters on how not to handle a gigantic data breach. And remember — Equifax discovered the breach on July 29. Most of these missteps came after nearly six weeks of preparation.
The Suspicious Stock Sale
Within four days of discovery of the breach, three top executives had sold huge chunks of company stock. The company claims the officers weren’t aware of the breach at the time of their sales. But even if that’s true (and here’s hoping we get a major investigation to find out), allowing the sales to go forward constitutes a major public image blunder.
Get Data Sheet, Fortune’s technology newsletter.
The Broken Security Check
Equifax’s response to the hack started with the rollout of an online tool to help members of the public determine if their data had been leaked. The premise of the tool alone raised some eyebrows, since it required giving a portion of your social security number . . . to a company that has shown it can’t be trusted with sensitive information.
Equifax: "To find out if we lost your social security number, please give us your social security number" https://t.co/S4o2hHjQfU pic.twitter.com/bDmgV3KjkU
— Christopher Ingraham🦗 (@_cingraham) September 8, 2017
Even worse, the tool had multiple technical breakdowns. Its security certificates were briefly invalid, leading web browsers to flag it as a phishing site. That seemed plausible, since Equifax hosted the tool on a newly-created page, not on its own trusted site.
Worst of all, multiple users who input fake names and SSNs were told that their nonexistent alter egos had been compromised.
Me: "Smith" and "123456"
Equifax: You're in danger. Sign up for our premium service for a year and then we'll start charging you.
WTF? pic.twitter.com/2IwSVKA4x4
— Justin Soffer (@JustinSoffer) September 8, 2017
@zackwhittaker So I just entered "Test" and "123456" on that Equifax eligibility page, and it says my data may have been breached. Sloppy.
— Makobeats (@Makobeats) September 8, 2017
As Krebs put it, it seemed that the tool was “completely broken at best and little more than a stalling tactic or sham at worst.”
The Lackluster Solution
Equifax’s checking tool was so underwhelming that most experts suggest that anyone with a credit history should assume they’ve been hacked. But what to do about it? Equifax, for its part, has offered to sign anyone up for its identity protection service, TrustedID, for free.
However, the signup process included a confusing waiting period, and wasn’t in effect for the weeks before the breach was disclosed. And while it could prevent hackers from opening new accounts in your name, it can’t prevent misuse of existing accounts, and doesn’t cover applications for credit screened through Equifax’s competitors.
Worse, as the New York Times points out, those who sign up for the free year of this (inadequate) protection will have to pay thereafter, since the threat won’t have disappeared. That means Equifax is essentially using its own data breach as lead generation, a distasteful move if there ever was one.
The Worrying Arbitration Clause
The TrustedID offer had another wrinkle – an arbitration clause that appeared to prevent enrollees from suing Equifax. Though it was quickly clarified that the clause didn’t encompass the breach itself, the impression that the company was trying to bait customers into waiving legal rights was troubling enough to draw comment from the Consumer Financial Protection Bureau.
The Twitter Fail
The day after disclosing its gargantuan hack, Eqifax’s customer support Twitter account struck a seriously inappropriate tone. “Happy Friday!” it tweeted, “You’ve got Stevie ready and willing to help with your customer service needs today!”
The chipper tone of the tweet, which seemed to be prescheduled and has since been deleted, was wildly out of tune with Equifax’s massive blunder. Twitter users took note, though many were remarkably supportive of poor, doomed Stevie.
This case of foot-in-mouth disease would normally be embarrassing enough on its own, but in this dumpster fire, it’s the least of the lot.
