When it comes to security, it’s better to be safe than sorry. But as the Equifax leak case has taught us, once a security breach does happen, it’s best not to be sorry twice. Read on so your business doesn’t experience the same fate as the giant, bumbling credit bureau.
What happened to Equifax?
Equifax, the huge American credit agency announced in September 2017 that its database was hacked, resulting in a leak of tons of consumers’ private data, including personally identifiable information of around 143 million US and UK citizens. It included names, social security numbers, addresses, birthdates, and credit card and driver’s license numbers.
Equifax responded by setting up a new site, www.equifaxsecurity2017.com, to help its customers determine whether they had been affected and to provide more information about the incident.
Soon after, Equifax’s official Twitter account tweeted a link that directed customers to www.securityequifax2017.com, which is actually a fake site.
Fortunately for Equifax’s customers, the fake phishing site was set up by a software engineer who wanted to use it for educational purposes and to expose flaws in Equifax’s incident response practice. So, no further harm was done to the already-damaged customers, and Equifax is left with even more embarrassment.
So what did Equifax do wrong?
One of the huge mistakes Equifax made in responding to its data breach was setting up a new website to give updated information to its consumers outside of its main domain, equifax.com.
Why? You first need to know that since the invention of phishing scams, organised criminals have been creating fake versions of big companies’ websites. That’s why so many major corporations buy domains that are the common misspellings of their real domains.
You should also know that phishers can’t create a web page on the company’s main domain, so if Equifax’s new site was hosted there, it’d be easy for customers to tell whether the new page was legitimate and not be fooled by a fake domain name.
What’s obvious from this embarrassing misstep is that Equifax had never planned for a data leak. And this is an unforgivable oversight by a company that handles the information of over 800 million consumers and more than 88 million businesses worldwide.
Don’t repeat Equifax’s mistake
Whether your business is a small startup or as big as Equifax, it needs to prepare for a data breach. Besides having a comprehensive network defence plan, you also need to have the right incident response plan in place. New Australian Data Privacy Laws which come into effect in February 2018 have stiff penalties and mandate that you must have a data breach system in place.
So what you should do is implement a system that makes you aware of leaks, then, after you’ve discovered the leak is, first of all, be upfront with your customers and notify them as soon as possible.
You also need to establish a message that includes the following information:
- How the leak occurred
- How the leak could affect your customers
- How you will prevent future attacks
- What your company will do to support affected customers
You should also create a web page to keep your customers up to date. But remember, the new web page should be under your company’s primary domain name.
As we’ve seen from Equifax, an incident response plan that’s robust is a must. Feel free to talk to our experts about how you can come up with an acute one — so you won’t have to repeat Equifax’s apologetic statement, since it doesn’t help the company redeem it’s reputation at all.