How Equifax Turned Its Massive Hack Into an Even Worse ‘Dumpster Fire’
On Thursday, consumer credit rating agency Equifax (EFX) announced what may become the most economically damaging hack in U.S. history, exposing the personal data of nearly half of all Americans.
The breach itself was bad enough, with class-action lawsuits and Congressional investigations on the table almost immediately. But the company’s haphazard response on myriad fronts has given the strong impression of inept leadership, leading security experts like Brian Krebs to refer to the hack’s aftermath as a “dumpster fire.”
Here’s a quick outline of what will likely become many entire business textbook chapters on how not to handle a gigantic data breach. And remember — Equifax discovered the breach on July 29. Most of these missteps came after nearly six weeks of preparation.
The Suspicious Stock Sale
Within four days of discovery of the breach, three top executives had sold huge chunks of company stock. The company claims the officers weren’t aware of the breach at the time of their sales. But even if that’s true (and here’s hoping we get a major investigation to find out), allowing the sales to go forward constitutes a major public image blunder.
Get Data Sheet, Fortune’s technology newsletter.
The Broken Security Check
Equifax’s response to the hack started with the rollout of an online tool to help members of the public determine if their data had been leaked. The premise of the tool alone raised some eyebrows, since it required giving a portion of your social security number . . . to a company that has shown it can’t be trusted with sensitive information.
Even worse, the tool had multiple technical breakdowns. Its security certificates were briefly invalid, leading web browsers to flag it as a phishing site. That seemed plausible, since Equifax hosted the tool on a newly-created page, not on its own trusted site.
Worst of all, multiple users who input fake names and SSNs were told that their nonexistent alter egos had been compromised.
As Krebs put it, it seemed that the tool was “completely broken at best and little more than a stalling tactic or sham at worst.”
The Lackluster Solution
Equifax’s checking tool was so underwhelming that most experts suggest that anyone with a credit history should assume they’ve been hacked. But what to do about it? Equifax, for its part, has offered to sign anyone up for its identity protection service, TrustedID, for free.
However, the signup process included a confusing waiting period, and wasn’t in effect for the weeks before the breach was disclosed. And while it could prevent hackers from opening new accounts in your name, it can’t prevent misuse of existing accounts, and doesn’t cover applications for credit screened through Equifax’s competitors.
Worse, as the New York Times points out, those who sign up for the free year of this (inadequate) protection will have to pay thereafter, since the threat won’t have disappeared. That means Equifax is essentially using its own data breach as lead generation, a distasteful move if there ever was one.
The Worrying Arbitration Clause
The TrustedID offer had another wrinkle – an arbitration clause that appeared to prevent enrollees from suing Equifax. Though it was quickly clarified that the clause didn’t encompass the breach itself, the impression that the company was trying to bait customers into waiving legal rights was troubling enough to draw comment from the Consumer Financial Protection Bureau.
The Twitter Fail
The day after disclosing its gargantuan hack, Eqifax’s customer support Twitter account struck a seriously inappropriate tone. “Happy Friday!” it tweeted, “You’ve got Stevie ready and willing to help with your customer service needs today!”
The chipper tone of the tweet, which seemed to be prescheduled and has since been deleted, was wildly out of tune with Equifax’s massive blunder. Twitter users took note, though many were remarkably supportive of poor, doomed Stevie.
This case of foot-in-mouth disease would normally be embarrassing enough on its own, but in this dumpster fire, it’s the least of the lot.