This week, the company to whom we had given our most sensitive information – Equifax – has now been compromised. That breach has the potential to ruin a lot of lives, perhaps for a lifetime.
Equifax is one of the leading credit reporting companies that collects personally-identifiable-information (PII) on 144 million people in the USA and many others in Canada. In the UK the number of people compromised may be as high as 44 million in a country of 65 million, an astonishing percentage. This PII includes birth dates, addresses, social security numbers, names – and everything a bad actor needs to begin to impersonate you. This data is used for all kinds of loans, credit cards, mortgages and dictates the interest rates you are charged.
What caused the breach at Equifax?
As of this writing, Mandiant (recently acquired by FireEye) is rumored to be involved with the forensics on this compromise. Quite likely, a brigade of vendors are at the scene of the crime.
Very early on, Brian Krebs, one of the foremost cyber journalists in the world, predicted what Equifax would say about the breach. He postulated that they would say that they “may have fallen behind in applying security updates to their Internet-facing Web applications”.
Why? Because increasingly, this excuse is somehow considered to be less culpable simply because it happens so frequently. We have become immunized against the active negligence involved in not keeping systems patched and secure. Virtually every day, more companies get breached due to unpatched systems. And Equifax, after all, is just another one.
We cannot, and should not, accept a situation where the simplest security hygiene is considered to be too onerous, is easily overlooked; and hence has become just “normal noise”.
Brian was right. Equifax promptly blamed unpatched internet facing systems with Apache Struts, blaming Apache for the vulnerability, which Apache denied. Apparently, there is some debate as to whether a known vulnerability in the systems (CVE-2017-9805) had been patched in a timely way. Reuters reports that an Apache spokeswoman said that Equifax had not applied any patches for flaws discovered this year. That would be all of 2017!
Chalk yet another breach to poor patching. Patching systems so that they are secure, is security 101.
Even before its massive breach, Equifax was fighting to disallow victims from suing them. And this was not the first breach they had either. According to Krebs, Equifax’s TALKX payroll division was exploited in 2016/17.
And now, Equifax, the same company that lost all your data, wants you to sign up for one year of free credit monitoring through – who else – Equifax! To do this you have to enter more personal information into their web form. Their proposal is: “We would like more information from you to protect the information which we lost!” Great.
When you sign up for monitoring, two things happen. First, you cannot sue them. That text is buried in their legal mumbo-jumbo. After a lot of negative comments, Equifax now says that clause will not be applied to this incident. Equifax is now on the hook for a class-action lawsuit that could cost as much as $ 70 Billion. But what is really appalling is that those that sign up, are likely to be solicited before that one year is over, to extend monitoring with Equifax – thus providing a potential new revenue stream to Equifax, the company that until recently did not even have a CISO. And let’s not even talk about the Equifax executives who sold their stock before the disclosure went public.
It is time that we as consumers demanded more from those that have our data. In that respect the European GDPR privacy regulations will create punitive penalties for those companies that do not safeguard data appropriately, and then, as was the case with Equifax, do not acknowledge the breach for over 6 weeks.
As Bob Dylan would say, beginning May 25, 2018 when GDPR kicks in, at least for Europe “The times they are a’changing”. The US needs to step up with similar legislation. Otherwise we have many more Equifax hurricanes in our future.