When it comes to security, it’s better to be safe than sorry. But as the Equifax leak has taught us, once a security breach does happen, it’s best not to be sorry twice. Read on so your business doesn't experience the same fate as the giant, bumbling credit bureau.
What happened to Equifax?
Equifax, one of the big three American credit agencies announced in September 2017 that its database was hacked. Resulting in a leak of around 143 million US consumers' private data. Data including names, social security numbers, addresses, birthdates, credit card, and driver’s license numbers.
Equifax responded by setting up a new site, www.equifaxsecurity2017.com, to help its customers determine whether they had been affected and to provide more information about the incident.
Soon after, Equifax’s official Twitter account tweeted a link that directed customers to www.securityequifax2017.com, a fake website.
Fortunately for Equifax’s customers, the fake site was set up by a software engineer who wanted to use it for educational purposes and to expose flaws in Equifax’s incident response practice. So, no further harm was done to the already-damaged customers, and Equifax is left with even more egg on their face.
So what did Equifax do wrong?
One of the biggest mistakes Equifax made in responding to its breach was setting up a new website to give updated information to its consumers outside of its main site, equifax.com.
Why was this a mistake?
Since the invention of phishing scams, hackers have been creating fake versions of big companies’ websites. That’s why now days many major companies buy domains that are the common misspellings of their real site.
Phishers can’t create a web page on a company’s main domain, so if Equifax’s new site was hosted on their own website instead of outside, it would have been easy for customers to tell whether the new page was legitimate and not be easily fooled by a fake website name.
What’s obvious from this embarrassing misstep is that Equifax had never planned for a data leak. And this is an unforgivable oversight by a company that handles the information of over 800 million consumers and more than 88 million businesses worldwide.
Don’t repeat Equifax’s mistake
Whether your business is a small startup or as big as Equifax, it needs to prepare for a data breach. Besides having a comprehensive network defense plan, you also need to have the right incident response plan in place.
So what you should do after you’ve discovered the leak? First of all, be upfront with your customers and notify them as soon as possible.
You also need to establish a message that includes the following information:
- How the leak occurred
- How the leak could affect your customers
- What you will do to prevent future attacks
- What your company will do to support affected customers
You should also create a web page to keep your customers up to date. But remember, the new web page should be under your company’s primary website name.
As we’ve seen from Equifax, an incident response plan that's robust is a must. That's where our experts can help. So you won’t have to repeat Equifax’s apologetic statement, since it doesn’t help the company redeemged reputation at all.