This weekend, I spent time trying to clean up from the Equifax data breach. In the era of fake news and fake URLs, I’ve lost a lot confidence in websites dealing with sensitive information. My experience this weekend shows hows how the credit bureaus, especially Equifax, miss key CX opportunities to instill confidence in their services. While there is a lot of CX that companies should provide in response to a data breach (Troy Hunt has great advice), I’ll focus on the digital touch points I encountered.
- The equifaxsecurity2017.com URL is suspicious. I would have preferred to see equifax.com/security2017 or security2017.equifax.com. I had to look it up in BetterWhois to see who registered the domain. I know this isn’t full-proof, but I was glad to see the Registrant Organization was Equifax Inc. Note it was registered 17 days before the breach announcement.
- They are using HTTPS. You’d expect that from most websites these days, but you never know!
- For part of Friday, using the TrustedID Premier enrollment eligibility website waived your rights for any future legal action. A few hours later, Equifax clarified the language.
PSA: If you check Equifax's site to see if your data was stolen, you *waive your rights* to sue Equifax or be part of a class action suit. pic.twitter.com/p4AlmmLQ3r— Zack Whittaker (@zackwhittaker) September 8, 2017
- The TrustedID Premier enrollment eligibility website just seemed to be a mechanism to schedule people to come back for enrollment. On Friday night, word got around that the tool displayed the same information regardless of what name and SSN were entered.
What an absolute mess this situation is: "We tested Equifax's data breach checker — and it's basically useless" https://t.co/e9nTHT3Tn9— Troy Hunt (@troyhunt) September 8, 2017
- The process of signing up for fraud alerts with the three bureaus doesn’t send email confirmations consistently. When making transactions online, I expect emails to my registered address confirming my activity (purchases, address change, login from a new device). It gives me confidence that my request was received and processed.
Equifax did not send an email confirmation and only suggested that I
“please print this page and save your Confirmation Number for future reference.”
Experian did send an email, but left out a field documenting the expiration date:
“A temporary fraud alert has been successfully added to your credit report. This alert is scheduled to remain on your credit report until . Print this information for your records.”
TransUnion gave me the most confidence with a professional-looking site and accurate email confirmation.
Unfortunately, more data breaches will occur. Hopefully, companies will take some lessons learned from the Equifax breach to improve the CX of the response and start to repair confidence with their customers.