Spinning the benefits of a $700 million data breach fine - Equifax CEO gives it a go

Profile picture for user slauchlan By Stuart Lauchlan July 26, 2019
Summary:
Slapped with a $700 million fine, Equifax's CEO is drinking from a Kool Aid glass that's very much half full.

Equifax logo

It’s been a week for corporate apologizing around data privacy and security. Following Facebook’s latest mea culpa-ing exercise, it was credit agency Equifax’s turn to spin the benefits of being on the receiving end of the Federal Trade Commission’s (FTC)  largest data breach settlement to date.

No-one can deny that CEO Mark Begor did his best as he enthused:

This is a very positive step forward for Equifax…This resolution allows us to fully focus on the future.

Whether that future is built on a more secure foundation is another question…

Flash back to September 2017 and Equifax confirmed a data breach that saw the leaking of personal information of around 147 million people, including some 145.5 million Social Security numbers and 209,000 payment card numbers, complete with expiration dates.

Equifax had already been fined in the UK by the Information Commissioner’s Office to the tune of £500,000, but it was to the FTC that attention inevitably turned. It didn’t disappoint, ordering the firm to pay up to $700 million in compensation and civil penalties. That’s considerably more than the previous largest penalty of $148 million that was laid down on Uber last year.

But then the scale of the Equifax breach and the company’s alleged behavior is also considerably larger.  The FTC has ruled that the firm was warned in March of 2017 of a vulnerability in its Equifax Automated Consumer Interview System (ACIS), which allows customers to check their credit reports. Although a patch order was issued to address the problem, the FTC found that no follow-up took place to check that this had been deployed. It hadn’t and as a result hackers had open access to data for months, much of it held in unencrypted plain text.

All of that led to FTC Chairman Joe Simons determining on Monday:

Equifax failed to take basic steps that may have prevented the breach.

The future 

Flash forward to yesterday and CEO Begor was drinking from a Kool Aid glass that he pitched as very much half full:

Monday's announcement was a real milestone and pivot for Equifax, which allows us to fully focus on operations, driving growth in our EFX 2020 technology and data security transformation.

It certainly gets a monkey off the company’s back, although the firm is not entirely in the clear yet. Begor pitched the creation of a “single consumer restitution fund that will be available to pay consumer benefits and legal fees and expenses” as a win for consumers, insisting that it was “a real priority” for Equifax.

But there are still outstanding concerns that could see future problems, most notably flagged up when Begor admitted:

We have not identified any instances of data being used for identity theft purposes or the data that was stolen being sold on the Dark Web.

That’s got the potential to come back and bite.

Cloud migration 

The FTC settlement also requires Equifax to boost its cyber-security systems, which throws focus onto the  $1.25 billion EFX 2020 technology and security transformation program Begor mentioned above. This is a wide-ranging initiative built around a central plank of migrating data and applications to the Google Cloud Platform (GCP).

There are some specific programs under the main umbrella, such as moving the Renaissance consumer support system onto a virtual private cloud and deploying Salesforce in an Genesys contact center.

But underlying everything is the intent to build a standard data fabric on GCP. Begor said that the data fabric pattern, including the full security stack, is now on GCP and available for the firm’s various business units to begin to migrate their individual systems.

From the start of this month, it will be standard procedure for new datasets to integrated into the cloud data fabric, he added:

We are at a place where our migration are now beginning to be tied to new customer workloads, so we will continue to update our delivery to align to near-term customer projects. Moving from siloed databases - in the US, for example, we have close to 50 siloed databases, - to a single data fabric in the cloud will enhance the speed and ease of accessing our differentiated data assets for our customers. It will also allow us to add more differentiated alternative data assets to enhance decisioning for our customers.

As a case in point, he cited the myEquifax consumer portal, which  is now being populated with consumer accounts. This will, according to Begor, improve customer service levels, but also enable cross-sell capabilities for the sales teams, something that’s an additional benefit:

While many of the support applications are customer facing, they are expected to significantly enhance the efficiency of our sales organization as well as the operational effectiveness of our client delivery and call center teams….We continue to be energized about the benefits that will be delivered by the cloud transformation to both our top and bottom lines.

My take

Not quite a case of ‘in one bound he was free’., but a brave attempt by Begor. There was no specific apology on offer now that the FTC’s decision has been made - sorry really was the hardest word? - and the spin around how much better things are going to be as an inadvertent result of the data breach is a premise that 147 million people might struggle to find favor with.

But there are positiives to be taken away. The FTC did bare its teeth on this one and in so doing has sent a warning shot over the bows of other organizations. There was a good story to be told around the EFX 2020 transformation program anyway, but it’s going to get a lot more scrutiny now that the FTC findings of inadequate processes and practices has been made public. That’s also no bad thing.