The hits just keep on coming. In the weeks since Equifax disclosed its breach, the company has fumbled its PR response so badly, it’s going to be an object lesson in crisis management for decades. We first learned Equifax was breached because it failed to patch a bug that had been repaired two months previously. But every aspect of the company’s response has been abysmal, particularly given that it had over a month to prepare.
The latest news is that the company is so inept, it’s been directing people to a white hat phishing site specifically intended to test the company’s security response. Oh — and Equifax suffered a major security breach months before the one that stole 143 million records on almost every adult in the United States. It even may have been perpretated by the same group of people, though that’s still under investigation.
The company’s CIO and the aforementioned chief security officer have already resigned, but these latest revelations could cause more heads to role. According to Bloomberg, Equifax noticed it was under attack in early March and worked with Mandiant to plug the hole. The details of this breach have not been disclosed to the public, but the implication is clear: Equifax was already under attack when it was breached again in May, and should have implemented stronger security protocols as a result. The only reason the company was breached was because it failed to patch Apache Struts, even after a critical flaw was discovered in the program.
Phishing for Tweets
The other major headache for Equifax is that it’s been tweeting the wrong URL to customers asking where to go for help and information. While we don’t have a tally of how many people were misdirected, the company told people to visit SecurityEquifax2017.com on multiple occasions. Tim is likely in a lot of trouble:
The actual website for Equifax’s failure is equifaxsecurity2017.com.
The best part of all this? Equifax is highly unlikely to face any kind of penalty for dumping everyone’s permanent information online. After all, it was the victim in this attack. Apart from an investigation into the three executives who sold stock after Equifax learned about the breach, and some various class action lawsuits against the company, there appears to be little in the way of law that would punish it.
It’s just the latest and most egregious example of how people are told that their data is simultaneously worthless and incredibly valuable. Companies and governments want the right to mine every single aspect of your life for information that can be monetized or saved for later consultation, but they don’t want you to think this information has any value whatsoever. If you did, you might care what happened to it.
Now read: 20 Best Privacy Tips