The weaselly Equifax apology for exposing 143 million customer records due to “application vulnerability”

Photo: Equifax

Thieves “potentially” made off with 143 million consumer records from credit reporting company Equifax. This is the worst data breach ever. The Equifax response is full of vague cover-your-ass statements at the exact moment when consumers most need accurate information.

This is not the largest data breach ever — Yahoo lost data on 1 billion users — but as Ars Technica explains, it’s the worst. The Equifax breach includes full names, birth dates, credit card numbers, and Social Security numbers, the exact information that criminals need to steal identities. Since Equifax tracks so much consumer financial activity, your information is probably in there. Other than the IRS, it’s hard to imagine a collection of consumer information that is more of a threat in the hands of criminals.

Kathy Klotz-Guest has cleverly skewered the company’s hypocrisy in the wake of the breach. I’m going to concentrate instead on the Equifax press release about the breach and where and how it weasels out of clarity and responsibility.

Deconstructing the Equifax explanations, equivocations, and apologies

In what follows, I’ve highlighted the equivocal elements in bold, used italic to identify jargon, and underlined passive voice. The commentary and translation are mine.

Equifax Announces Cybersecurity Incident Involving Consumer Information

No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases

Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Commentary: On the plus side, this release puts the most important facts at the top, including the risk to 143 million consumers. But “cybersecurity incident” sounds like language crafted to lawyers to avoid saying words like breach and theft. Despite investigating this for five weeks, all they can tell us is that the thieves “potentially” (what does that mean?) accessed “certain files.” And unless you’re an expert on what Equifax is and how it operates, it’s not clear what the “core consumer or commercial credit reporting databases” refers to.

Translation: Somebody got into our files and stole data on 143 million people in May, June, and July. We think this happened — we’re not sure. We don’t think they got to see your credit transactions, just the identifying data that they’d need to impersonate you and steal your identity.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Commentary: Equifax clearly lists what was probably stolen. The passive voice “were accessed” and “has been impacted” avoid repeated mentions of thieves and criminals. “Primarily” and “limited” are weasel words that have no meaning to the reader. “Application vulnerability” is more jargon for breach or theft.

Translation: We lost everything an identity thief would be looking for: names, Social Security numbers, birth dates, addresses, driver’s license numbers, and credit card numbers for not just Americans, but British and Canadian consumers, too.

Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.

Commentary: Note the use of vague weasel words like “promptly,” “leading,” and “comprehensive” to make the response sound powerful and quick, despite the fact that Equifax failed to report it to the world for five weeks. The last sentence is a completely vacuous hairball, since there’s no way to understand what part of the investigation is complete, what isn’t, or who is expecting it to be completed.

Translation: We hired somebody to help us review what happened and told the police about it. We’re still investigating.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”

Commentary: Equifax gets quickly to the apology and apologize to customers, which is proper. The proper apology is not for “concern and frustration” but for exposing data that has the potential to ruin people’s lives. And to whom is “We pride ourselves on being a leader in managing and protecting data” directed? You fucked up with our data. Calling yourselves a leader right after apologizing is insulting.

Translation: “Protecting your data should have  been our highest priority,” said CEO Richard F. Smith. “We let you down, and it’s going to cause enormous pain. For that, I apologize. Obviously, we’re overhauling our security now.”

Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year. The website also provides additional information on steps consumers can take to protect their personal information. Equifax recommends that consumers with additional questions visit www.equifaxsecurity2017.com or contact a dedicated call center at 866-447-7559, which the company set up to assist consumers. The call center is open every day (including weekends) from 7:00 a.m. – 1:00 a.m. Eastern time.

Commentary: This is straightforward and positive. Unfortunately, the company failed on execution of these offers, despite having weeks to prepare. According to Ars Technica, the site, which requests your name and 6 digits of your Social Security number to check on your account, runs on an inadequately secured stock installation of WordPress and has other security flaws. Klotz-Guest reports that if you call the phone number, they can’t tell you what’s going on with your account.

Translation: We’ll monitor your credit for free, it’s the least we can do. Type your information in right here. Trust us.

In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. Equifax also is in the process of contacting U.S. state and federal regulators and has sent written notifications to all U.S. state attorneys general, which includes Equifax contact information for regulator inquiries.

Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.

CEO Smith said, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”

Translation: If they stole your credit card numbers, we’ll send you a letter. And we’re trying to do better in the future.

What Equifax should have written

After past critiques, I’ve heard from you that my translations are not appropriate for press releases. That’s fair — I critique to reveal what people are actually saying, not what they should be saying. So how could Equifax actually write this release? Here’s a shot at it.

Equifax Announces Breach of Data on 143 Million US Consumers

Company Offers Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced that criminals accessed files with data on 143 million U.S. consumers, including names, Social Security numbers, birth dates, and addresses. The breach happened between mid-May and July 2017. This is a serious problem, because this is the type of data that criminals use for identity theft.

They also accessed some drivers license numbers, credit card numbers for 209,000 U.S. consumers, and dispute documents with personal identifying information for 182,000 U.S. consumers, as well as some information for UK and Canadian residents.

There’s no evidence that they were able to see Equifax’s core consumer or commercial credit reporting databases that include records of financial transactions and credit scores, but this is still the most serious breach of customer data in history.

“I apologize to all consumers — we were charged with protecting your sensitive data, and we let you down,” said Equifax Chairman and Chief Executive Officer Richard F. Smith. “Securing these records should have been our highest priority. I know that criminals using this information will cause pain for many consumers, and that we should have prevented that. I apologize also to our business customers and partners who trusted us to secure this information that we share. I also apologize for the five-week delay in reporting this.”

Here’s what Equifax has done to move forward:

  • Alerted law enforcement and attorneys general in all 50 states.
  • Hired a cybersecurity firm to further investigate the breach and harden our systems for the future.

While there is no way to make up this risk to consumers, Equifax is offering free credit monitoring and identity theft insurance to all U.S. consumers at www.equifaxsecurity2017.com. They can also call the company at 866-447-7559. If the thieves accessed your credit card number or dispute documents, you should be receiving a letter about that.

“We’re part of a trusted financial system,” said CEO Smith, “and we’ve now damaged that trust. We’re investing heavily to repair that problem. I’ll be posting regular updates on our progress.”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

8 Comments

  1. Did you hear how top Equifax execs also dumped big chunks of their stock holdings just prior to announcing the breach?

    August 1st Chief Financial Officer John Gamble – shares worth $946,374 (source: SEC filings)
    August 1st President of US Information Solutions Joseph Loughran – shares worth $584,099 (source: SEC filings)
    August 2nd President of workforce solutions Rodolfo Ploder – shares worth $250,458 (source: SEC filings)

    A friend is working to catalog the info. Pretty shady:

    https://docs.google.com/document/d/1-vsJh7LG9eUDWAoU5HXvPYsrbU5LWFEl1KXP5a0rSO8/edit

  2. Yeah, and in another inside information breach, high-us dumped massive stock holdings before the public announcement. Isn’t that illegal?

  3. Also their TV commercial is atrocious. I read of the hack today and just happened to see their TV ad and then realized I’d seen it before. But w all the soft music and the sweet female voice and the non-understandable references about dark web,I had not paid any attention to it. There is no indication that THIS IS SERIOUS AND YOU NEED TO CONTACT THEIR MONITORING PROGRAM!

  4. There should be a class action lawsuit against them for damages to any and all people whose information was compromised and abused. Also those that profited from the sale of stock knowing that this information would be publicly announced after the fact should be fined and sent to jail. The fines should be five times the amount that they profited from the sale of that stock. Prison term should be a minimum of 5 years per event