Not much to admire in Equifax case

A lot of people suddenly feel pretty socially insecure. Forty-one days after it happened, Equifax, one of three major U.S. credit bureaus, disclosed to the public that on July 29 it fell victim to a massive cyber-security leak that could potentially impact 143 million U.S. consumers.

The company said it believes consumers’ personally identifiable information was exposed — including Social Security numbers, names, dates of birth, addresses, credit card numbers, and potentially driver’s license numbers.

Upon discovering the breach, Equifax immediately hired an outside forensics firm to investigate and assess impact. While the FBI investigation is still ongoing, representatives of the company believe the attacker(s) gained access to certain files by exploiting an application vulnerability.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Equifax chairman and CEO Richard F. Smith.

Equifax says that if you fear your information may be compromised, you should visit Equifax Security 2017 to see if you were affected by the breach. Once you enter your name and last six numbers of your Social Security number, you’ll be be able to see if your information was compromised.

Additionally, the company through November 2017 is allowing consumers to enroll in TrustedID Premier, a three-credit bureau monitoring service, also managed by Equifax, which will send the individual a message alerting them to whether or not their information has been compromised.

Interestingly, according to Bloomberg news, three days after the breach Chief Financial Officer John Gamble sold shares worth $946,374; Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099; and Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. The company indicated these executives were not informed of the breach at the time. Ironic? The Securities and Exchange Commission is investigating the potential of insider trading as it pertains to these three executives.

This is a huge wakeup call to not just Equifax, but to its competitors, TransUnion and Experian, that anyone can fall victim to a cyber attack — especially a company that monitors and maintains almost the entire country’s personal information. These next few weeks will be essential in how Equifax and the FBI approach this serious attack and what data breach prevention policies (if any) are implemented and carried out.

Even more frightening is the company’s decision to wait 41 days after discovering the attack, and launching its investigation, to inform the general public that people’s entire identities and financial information could have been exploited and potentially sold on the black market.

“I apologize to consumers and our business customers for the concern and frustration this causes,” said chairman Smith.

But when it comes to personally identifiable information, is a blanket apology like this enough to justify the delay in releasing this information critical to potentially half the nation’s consumers? We will find out.

Remember: It's not if a company will fall victim to an attack, it's when. Companies should plan to be attacked at any given time. To think otherwise is detrimental to any corporate structure and its consumer base.

Andrew Rossow is a Dayton attorney who specials in cyber law and privacy issues. He’s a frequent contributor. This column was originally published at The Huffington Post.