- Mike McCormick
Open Letter to Equifax
Updated: Nov 29, 2022
In the aftermath of the most serious consumer data theft in US history, steps you take to restore the trust of consumers, customers, and investors are critical. Frankly, you seem to be off to a rocky start.
Here are ten things you can do to rebuild trust:
1. Stop asking for last six digits of SSN on www.equifaxsecurity2017.com . The breach already undermined SSN privacy enough. Why not “eat your own dog food” and use your FraudIQ® Authenticate service instead?
2. Waive the fee on security freezes. People affected by the breach shouldn’t have to pay you $5 to $10 to protect themselves.
3. Stop using today’s date as a secret PIN. After consumers pay to place a security freeze, you give them a PIN whose first six digits are today’s date (mmddyy). That’s a rookie mistake that compounds the damage. Issue random PINs instead.
4. Let users change their PIN for free. Let those who already received a weak date-based PIN (see #3) change it to a PIN of their choosing. Today you offer PIN changes via postal mail for an additional $5 to $10. Move the process online and make it free. Notify current PIN holders that it’s available.
5. Make legal agreement retroactive. Consumers who used www.equifaxsecurity2017.com in the first week after the breach disclosure had to waive their right to sue Equifax. Commendably, on September 10 you removed the arbitration clause from user agreements and issued a public statement. Now offer consumers who e-signed the original agreement a chance to read and sign an amended agreement that explicitly supersedes the previous one.
6. Investigate insider stock sales. Hire an independent investigator to determine whether Equifax executives who sold stock before the breach disclosure did so with knowledge of the incident. If any did, claw back the proceeds and terminate their employment with cause. Make investigation results public and share them with the SEC.
7. Make a public statement on Apache Struts. Rumors are swirling in the tech community that the breach was enabled by a vulnerability in the Apache Struts Java web framework. The rumors grew so loud that the Apache Foundation was forced to issue a public statement. Thousands of web sites rely on Apache Struts. Publicly share what you know about the role of Struts (if any) in the breach.
8. Encrypt sensitive information. Apply modern encryption or tokenization to consumer PII in your repositories -- including SSNs, driver’s licenses, and account numbers – and store the cryptographic keys in hardware security modules.
9. Secure the breach notification web site. Port www.equifaxsecurity2017.com to a more secure platform than WordPress. Upgrade to extended validation (EV) TLS certificates so it won’t trigger browser phishing alerts. Enable certificate revocation checking.
10. Work with government agencies. Share with CFPB and other applicable regulatory agencies details regarding the incident, aftermath, and plans to prevent recurrence. Share with DHS and FS-ISAC, so other financial service providers can protect themselves from attacks. And work closely with IRS because stolen data may be used to file fraudulent 2017 tax returns.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.
UPDATE 9-13-2017: 48 hours after we wrote the above letter to Equifax, they addressed two of our suggestions: (#3) They switched to random PINs; (#7) They acknowledged the attackers exploited a known but unpatched bug in Apache Struts.
UPDATE 9-19-2017: Equifax addressed suggestion #2, announcing they will offer security freezes at no cost until November 12. This is retroactive to September 7 - if you paid for a freeze after that date you will receive a refund.
UPDATE 9-29-2017: Taproot Security proposed changes to the Fair Credit Reporting Act to better protect consumers from credit agency breaches. See our letter to Congress for details.
UPDATE 3-14-2018: The SEC filed insider trading charges against Equifax CIO Jun Ying, and continues to investigate other executives who sold stock before the breach was disclosed.