I’ll give you four dates, and you tell me what’s wrong with this picture…
- One of the nation’s three big credit bureaus, Equifax, was breached in mid-May.
- Equifax figured that little fact out July 29.
- It told the public on Sept. 7.
- Meanwhile, way back at the start of the year, Donald Trump promised a plan to improve American cybersecurity by April 20.
Don’t think too hard. It should be easy to answer.
There’s plenty to pick from, from the fact a major credit bureau — which sells identity protection services to consumers — didn’t notice our Social Security and credit card numbers were vulnerable for over two months, to not reporting it for over a month, to another broken promise from Trump.
If Donald Trump wants easy wins, he could start with his least controversial promises — even if they were empty at the time. Equifax’s failure should be America’s gain.
“Powering the world with knowledge”
That’s Equifax’s unironic slogan, adopted last year. The little letter where they announced it to shareholders also had this gem: “We are conditioned to anticipate our customers’ needs and issues and seek solutions on their behalf— often before they even realize they have a problem.”
Weirdly, Equifax didn’t realize it had a cybersecurity problem for two months. More than a third of Americans’ (143 million people) personal data had been stolen. That includes Social Security, credit card, and driver’s license numbers, plus birth dates, names, addresses, and more.
It’s one of the largest data breaches ever, made all the more stunning because it’s a company that preaches — and sells — data security. And somehow Equifax didn’t anticipate customers might be a little outraged that the company…
- Had three executives sell off stock between the hack and making it public. (The company denies they knew about the hack at that point.)
- Wasn’t prepared to handle the volume of people who wanted to see if they were victimized, leading to unanswered phone calls, system errors, and lots of confusion.
- Planned to offer free credit monitoring for a year, but didn’t use its month-long delay in notifying the public to actually get the offer in place and wouldn’t actually let people sign up right away.
- The free TrustedID subscription is also “subject to automatic renewal,” meaning the company will inevitable profit off some of the people it failed with a service meant to protect them from what they failed at, unless everyone remembers to opt out.
- Wasn’t planning to waive fees for credit freezes — something victims should consider to avoid the risk of identity thieves opening new credit in their names.
U.S. Senator Richard Blumenthal channeled that outrage in a letter to the company’s CEO. He called Equifax’s response to the situation “stunningly inadequate” and its remedies “pathetic.”
He demanded at least two years of credit monitoring, free credit freezes and identity theft insurance, clearer terms of service, a more usable and useful website, and an awareness campaign about the breach because most consumers don’t even know about Equifax and might not realize the credit bureau has data on them.
Trump should do what he’s good at — hop on Twitter, bash Equifax as “sad!” and “failing,” and take all the credit for legislation that hasn’t gone anywhere yet, but now should.
Yes, the security aspect of “cyber” is tough
At the first presidential debate between Trump and Hillary Clinton, Trump was asked about cyberattacks. After a tangent about China and a stereotypical 400-pound-hacker, Trump infamously word-vomited out this:
We have to get very, very tough on cyber and cyber warfare. It is a, it is a huge problem. I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable. But I will say, we are not doing the job we should be doing, but that’s true throughout our whole governmental society. We have so many things that we have to do better, and certainly cyber is one of them.
This answer made it obvious to many people that Trump doesn’t really know anything about computers; it was just one of many subjects he blustered his way through to the presidency. But he’s right about one thing: Securing our data may be hardly doable.
But in the Equifax case, even that wasn’t true. The worst part of the hack is that it was entirely preventable. The company has admitted the breach was made possible by a vulnerability that could have been patched two months earlier. As usual, identity theft doesn’t happen because hackers are super smart — but because companies are so, so dumb. And when you’re that dumb with sensitive data on every American, there should be penalties. No-brainer.
Securing our data is tough. What we do when our data is stolen is not tough at all. There should be national standards for notifying consumers about data breaches (state standards vary), and a minimum bar set for an adequate response to address the fallout.
Since the Target breach a few years ago, they’ve come fast and furious. Every time, companies are caught flatfooted. It’s time to fix it.
There should be bipartisan consensus — Obama, Republicans, and Democrats all worked together on some bills — and Trump can look good after flaking out on the late cybersecurity plan that turned out to be nothing more than a carbon copy of Obama’s policy.
Article last modified on September 21, 2017. Published by Debt.com, LLC .