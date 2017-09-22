Is Edelman doing a good job advising Equifax on how to handle the privacy breach crisis? originally appeared on Quora: the place to gain and share knowledge, empowering people to learn from others and better understand the world.

Answer by Dan Tynan, Tech journalist & humorist., on Quora:

If this is how Edelman advised Equifax to handle this, then they both should be flogged. I mean, literally. I'd be happy to take a few cracks at them.

This may be the worst response to a security breach ever, and one of the worst crisis management campaigns of all time. Everything about it is messed up, from the timing of the announcement, to the site set up for checking if you are affected, to the remedy, with all stops in between:

First, they ask people to come to a site with a suspicious URL — equifaxsecurity2017 — the exact kind of URL a smart phishing operation would set up. My anti-malware software initially blocked me from accessing that site for that reason.

Then they ask people to submit their last name and final six digits of their Social Security Numbers. Great. A company that just announced that it doesn’t know squat about security wants you to re-enter the information that may have been stolen. Brilliant!

Then it turns out that the ‘potential impact’ checker appears to respond to randomly generated names and numbers as if they were real (I was able to repeat this several times with different names and made up numbers).

Then, regardless of whether it determines that you “may have been impacted” or not, it encourages you to enroll in Equifax TrustedID Premier service. (And when you do, it tells you to come back in four days. Why? Who knows?)

Then there is the question of whether, by enrolling in TrustedID (a misnomer if ever there was one), you are giving up your rights to participate in a class action suit against the company. Language implies yes, but Equifax issues a vaguely worded denial, followed by a slightly stronger denial. Damage done, however.

The PIN you are given when you enroll is simply a date and time stamp of when you do it — narrowing the ability of attackers to guess this 10 digit number from 1 in a billion to 1 in 5000.

Did I mention the part where three top Equifax executives dumped $1.8 million worth of stock before the news of the hack went public? Purely a coincidence, they say. We’ll see what the SEC investigation has to say about it.

Since all that news became public, Equifax has backtracked. For example, they say they changed the PIN generation system to be more random. The company just published a new FAQ that makes some of the issues about lawsuits, etc. more clear. And they claim they won’t automatically roll over the free year of credit monitoring to a paid account (though they say nothing about attempts to upsell or convert to a paid account at the end of that year).

Also since then, the company announced that its chief information officer and chief security officer are ‘retiring’. No word on what kind of retirement package they’ll receive.

It also turns out that the cause of the hacks was a critical vulnerability that became public last March. Equifax admits to learning of the vulnerability then, but has been extremely vague as to why its systems continued to remain unpatched. (And we also discover that there was a second, earlier hack.)

My question: Why is CEO Richard Smith not being fitted for a tar-and-feathers overcoat? If the buck doesn’t stop at his desk, where does it stop?

It's like they hired Eric Trump to come up with this. It is that bad. And the worst part is there is nothing any of us can do. We can't take our business elsewhere — none of us chose to do business with Equifax (or Experian or Transunion) in the first place. We can’t opt out, though I strongly feel that needs to be an option. I would happily give up my ability to have my credit/background checked via Equifax if that meant I could take my information back. I’m sure I’m not alone.

Frankly, we need legislation that requires companies that handle sensitive information like this to go through security compliance testing. We need a “Good Security Seal of Approval” issued via an independent authority. Simply saying “we take strong measures to secure your information” in your privacy policy isn’t good enough anymore, because clearly that is horse dung.

We also need a way to encrypt this information that puts the decryption keys in the hands of consumers. No more selling data to third parties for ‘pre approved credit offers’. If someone wants to know what my credit history is, they can ask me.

But this Congress can’t pass a decent fart, let alone reasonable legislation. And Trump is more likely to issue Equifax’s CEO a presidential medal of freedom than what he deserves — some time on the unemployment line, sans parachute.