The Equifax Debacle

It is difficult to imagine a worse breach handled worse showing more incompetence than the Equifax Debacle. Not only did they leak as many as 143 million U.S. citizen's private information, but Equifax has managed to make it into a scandal with a Keystone Cops response. What was lost? Some names with social security numbers, birth dates, addresses, and some driver's license numbers. In other words, most of what an identity thief would need to steal your identity. Who is at risk, everyone.

Equifax assumes, as of Sep 11, 2017, an additionally 209,000 people's credit card numbers and 182,000 people's dispute records. were also lost. That is U.S. only. There were also records lost for UK and Canadian residents.

Equifax Incompetence Shocking

Equifax blundered in the following ways:

1. Do not patch your software after an underlying vulnerability is made public
Equifax says, "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638". So, they use Struts and struts had a vulnerability that was properly reported and fixed on March 6, 2017.

2. Do not patch your software even after massive exploits are discovered.
Massive exploits of unpatched Struts systems began on March 9, just 3 days after the patch fixing it was made available. Despite this, Equifax didn't patch their software. They were hacked over two months after the fix preventing the hack was made available.

3. Do not discover the problem quickly
According to Equifax, the breach occurred from Mid-May through July 2017, so for over 2 months while Equifax remained oblivious. It is hard for security experts to understand how massive amounts of unauthorized data could be sent from a system for a long time without the security system setting off alarm bells.

4. Delay telling people until you get your publicity firm in place.
Equifax waited over 5 weeks to make its public announcement. They claim they discovered it on July 29 but waited until September 7 to disclose it. It should have been announced within 48 hours, preferably within 24.

5. Completely blow the consumer mitigation program
The mitigation website was a poorly secured WordPress installation that:

Didn't indicate that the site was Equifax. I was sent to a site for another company I hadn't heard of.
Required more private information than I wanted to provide particularly to a company I didn't know using less than enterprise security for no reason I could determine.
Results to the question of whether you were affected appeared random. Different results were given to the same information. Phony information for non-existent people with false social security numbers often returned that they might be affected and should sign up for their security monitoring.
Was overwhelmed and went down. It frequently asked people to come back in a few weeks.
At first claimed that if we took their 1 year trial we were giving up our right to sue them (this was rescinded after a justified uproar).
The security certificate for the site was not registered so it appeared likely to be a phishing scam (this was later fixed).
The mitigation was to offer to do credit monitoring for 1 year (on a breach that will last a lifetime), using a company owned by them and automatically renewing for a fee after the first year.
The current mitigation website seems to work:

6. Have major executives sell stock before the disclosure.
Three executives sold $1.8 million in stock within a few days of the breach being discovered.

Conclusion

I would not trust their credit monitoring service. I don't want to give them more information. I don't want to have to hassle with them to stop their automatic renewal of their "service" to protect against the damage they inflicted.

I setup security freezes with all four major credit bureaus. That process is outlined here. I also setup a fraud alert as described here.

--

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		The Equifax Debacle It is difficult to imagine a worse breach handled worse showing more incompetence than the Equifax Debacle. Not only did they leak as many as 143 million U.S. citizen's private information, but Equifax has managed to make it into a scandal with a Keystone Cops response. What was lost? Some names with social security numbers, birth dates, addresses, and some driver's license numbers. In other words, most of what an identity thief would need to steal your identity. Who is at risk, everyone. Equifax assumes, as of Sep 11, 2017, an additionally 209,000 people's credit card numbers and 182,000 people's dispute records. were also lost. That is U.S. only. There were also records lost for UK and Canadian residents. Equifax Incompetence Shocking Equifax blundered in the following ways: 1. Do not patch your software after an underlying vulnerability is made public Equifax says, "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638". So, they use Struts and struts had a vulnerability that was properly reported and fixed on March 6, 2017. 2. Do not patch your software even after massive exploits are discovered. Massive exploits of unpatched Struts systems began on March 9, just 3 days after the patch fixing it was made available. Despite this, Equifax didn't patch their software. They were hacked over two months after the fix preventing the hack was made available. 3. Do not discover the problem quickly According to Equifax, the breach occurred from Mid-May through July 2017, so for over 2 months while Equifax remained oblivious. It is hard for security experts to understand how massive amounts of unauthorized data could be sent from a system for a long time without the security system setting off alarm bells. 4. Delay telling people until you get your publicity firm in place. Equifax waited over 5 weeks to make its public announcement. They claim they discovered it on July 29 but waited until September 7 to disclose it. It should have been announced within 48 hours, preferably within 24. 5. Completely blow the consumer mitigation program The mitigation website was a poorly secured WordPress installation that: Didn't indicate that the site was Equifax. I was sent to a site for another company I hadn't heard of. Required more private information than I wanted to provide particularly to a company I didn't know using less than enterprise security for no reason I could determine. Results to the question of whether you were affected appeared random. Different results were given to the same information. Phony information for non-existent people with false social security numbers often returned that they might be affected and should sign up for their security monitoring. Was overwhelmed and went down. It frequently asked people to come back in a few weeks. At first claimed that if we took their 1 year trial we were giving up our right to sue them (this was rescinded after a justified uproar). The security certificate for the site was not registered so it appeared likely to be a phishing scam (this was later fixed). The mitigation was to offer to do credit monitoring for 1 year (on a breach that will last a lifetime), using a company owned by them and automatically renewing for a fee after the first year. The current mitigation website seems to work: 6. Have major executives sell stock before the disclosure. Three executives sold $1.8 million in stock within a few days of the breach being discovered. Conclusion I would not trust their credit monitoring service. I don't want to give them more information. I don't want to have to hassle with them to stop their automatic renewal of their "service" to protect against the damage they inflicted. I setup security freezes with all four major credit bureaus. That process is outlined here. I also setup a fraud alert as described here. -- Further reading Equifax FAQ about the breach: CNN reporting: ArsTechnica report: Techcrunch article showing the failure of the site to report properly. NY Times Sep 14: ArsTechnica Sep 13: Failure to patch caused breach: Date: October 2017 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk

Keeping clients' computers safe and profitable for over 30 years

The Equifax Debacle

Equifax Incompetence Shocking

Conclusion

Further reading