The United States Senate has been looking into last year’s breach at credit rating agency Equifax. They’ve sent a letter to Equifax’s interim CEO, Paulino de Rego Barros Jr, saying the company provided the Congress with misleading, incomplete or contradictory information. Among the Senate’s accusation are the allegation that the scope of the breach was understated, the breach was the result of a series of failures and that the aftermath was botched.
You can read the full letter here.
With new Data Breach Notification laws coming into effect in Australia next week, the allegations made by the US Senate are a useful reminder that you need to be clear in disclosing what data was exposed in a breach.
For example, the committee says Equifax told them data tables containing PII were accessed. But in their evidence they neglected to mention details such as passport numbers which Equifax said weren’t compromised.
Equifax has been asked to answer four questions pertaining to exactly what data was accessed, a complete timeline of the breach and responses, and what steps have been taken to notify all effected parties.
In short, this is the sort of information companies need to be ready for when the notification laws come into effect next week.
If you’re looking for a good model on how to react to a breach, I suggest a thorough review of the Red Cross Blood Service breach from 2016. Once notified, the Red Cross Bond Service, identified the source of the leak, shut down the leak, notified all affected parties by email, text and through public statements.