Everyone makes mistakes. And every company might suffer a data breach. After years of examples, two things should be obvious to every company: 1) You will likely be hacked and 2) You should have an airtight, lock-solid plan for dealing with the aftermath of such an inevitable hack.
Obvious, apparently, to everyone but Equifax.
You can listen to episode one by clicking play below, if that embedded link works for you. If not, click :
You know the basics of what happened after Equifax was hacked. The firm’s website didn’t work, its customer-service phone lines were jammed, it gave out bad advice, it actually linked to a hacker’s page rather than its own site, and so on. Most of all, the firm somehow underestimated how the public would react to the bad news. In episode 3, we chronicled the cascade of errors that led to the “76 days” hackers had their way with Equifax’s data. In episode 4, we chronicle the comedy of errors that marked the aftermath of the hack. You’ll love hearing from the computer scientist who copied Equifax’s breach response site in seconds, and suddenly had thousands of victims offering *him* their personal information.
Personal point of order from me: Equifax’s website was (and is!) named EquifaxSecurity2017.com. Remember, this is the site designed to tell people that Equifax was hacked. EquifaxSecurity2017.com is the most Orwellian name possible for such a site. In its attempt to control the language around the incident, Equifax made itself vulnerable to be “hacked” again, in this case, by a man who simply registered the domain “SecurityEquifax2017.com.” When you play with words, you are playing with fire.
You’ll also hear once again from the “human error” Graeme Payne, the single employee blamed for the hack. And we’ll discuss the golden parachute that former CEO Richard Smith left the company with (HINT: it stretches well into 8 digits).
And you’ll hear more from Ron Lieber, The New York Times reporter who ended up supplying free customer service help to victims who couldn’t get through to Equifax.
Here’s a partial transcript. You can read the entire transcript on Carbonite’s page for the podcast.
ALIA: Moving On After The Worst Breach In History.
Imagine you are Equifax. Dear Listener, you’re in the game now. We’re putting you in!
BOB: You’re the CEO.
ALIA: You’re putting together your plan of attack for how you’re gonna recover from this thing, and you’ve got that first PowerPoint slide. Where do you start? What’s the first issue on deck, Bob?
BOB: Issue #1 – A lot of people are going to want to know if they’ve been breached. You have an initial list of 143 million people whose information you’ve lost – they’re going to want to know if their name is on that list.
ALIA: Your solution: build a website to help people figure out if they’re one of the people who’s been hacked. To do that, you buy a new domain name.
BOB: Which is where Montreal-based software engineer Nick Sweeting comes in:
NICK: …from what I remember, the Equifax breach day, actually it wasn’t that big of a deal in my mind at the time – until I saw that the domain that they registered was not their official domain.
ALIA: They’d bought the new domain name “equifaxsecurity2017.com”. This might not sound like a big deal, but it is – because in the Wild West of the Internet, domain names are important.
NICK: because they represent sort of the root of trust for a company.
ALIA: I trust Equifax.com belongs to the real Equifax, the same way I trust Google.com belongs to the real Google, or CNN.com belongs to the real CNN. So If Equifax had used the main Equifax.com, slash, SecurityBreach2017 or something, I’d know I was in the right place.
NICK: So Equifax threw all of that out the window by buying a brand new domain that doesn’t have any trust associated with it.
ALIA: You’re supposed to go to EquifaxSecurity2017.com…or was it EquifaxSecurityBreach2017.com?
BOB: It’s as if Google sent you to GoogleSearch.com, or CNN created CNNnewsfrom2018.com. I mean, what in the world?
NICK: I realized that basically any old scammer or, or phisher out there could register a similar domain. And I thought, “What the heck,” you know, “I might as well do it myself and make a site to kind of make fun of them.” Um, and so I did that.
ALIA: He selects the almost identical SECURITYequifax2017.com.
BOB: I can’t even remember how the correct one’s different from that.
BOB: Oh, yeah that’s right. I think this is exactly Nick’s point.
NICK: I bought the domain, and I cloned the Equifax website in about 30 seconds.
ALIA: It’s identical to the original site, except for the results page – once you type in your Social Security Number to see if you’ve been affected, it says:
NICK: “Ha ha, you’ve been bamboozled. This is a fake site. Go tell Equifax that they should host this on a real domain and not some cheap domain.” Just to make it clear that I wasn’t actually trying to get anyone’s info.
ALIA: Yeah. You weren’t like tricking people.
NICK: Well, I was sort of tricking people, but not maliciously. I didn’t keep any of the data that they gave me.
ALIA: He makes sure that no one’s data will be stored on his site, then he puts it out in the world.
NICK: …and then kind of forgot about it for a week.
ALIA: The site has a pretty high hit-rate. He later figures out that in a 2-3 hour period it got 250,000 hits. He keeps it up for a couple weeks, hopes it teaches Equifax (or someone) a lesson about registering new domains, and that would have been all. But then –
NICK: On September 20th, so about two weeks later…
ALIA: Equifax tweets eight links to SecurityEquifax2017.com – Nick’s site.
NICK: And the way I found out is that someone on Twitter mentioned it to me. They said, “Hey, have you noticed that Equifax has been tweeting out links to your site?” It went viral, it got published everywhere, the media started contacting me…
ALIA: And then he discovers –
NICK: Not only had they been tweeting it, but it was in their official marketing materials that were being auto-completed by their social media management application.
ALIA: So Equifax has support reps all across the country responding to people, typing in the first few letters, and then the Equifax-approved message auto-completes with a link to Nick’s fake website.
NICK: Yeah. And Google blacklisted the site across all browsers with their safe browsing initiative at around 4:00 PM. So it all took place in the span of a few hours.
ALIA: How much time did it take you and how much money did it cost you to create this website?
NICK: (laughs) Uh, somewhere in the range of, of I think 10-15 dollars total. And then the day of, my whole day was gone because it was going viral and the media was contacting me.
ALIA: Oh my God. What do you make of that?
NICK: (laughs) Well, it’s, it’s great to see that people can make such a powerful statement with, with very little money and time investment.
ALIA: For Nick, it’s not just the one mistake of buying a new domain that bothers him – it’s the lack of accountability for big companies when they don’t take security seriously. His end goal was some kind of accountability, even in the form of trolling.
NICK: But, uh, I think naming and shaming is one of the few things that works for big companies in the security space. Uh, you really have to point out when someone has made a mistake, make it public, and do it in a responsible way. I have no hope for Equifax fixing their security, but hopefully some other company will learn from their mistake, and this doesn’t happen again.