OCS banner and logo
Keeping clients' computers safe and profitable for over 25 years



Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category


powered by pmc2m

 

The Equifax Debacle

It is difficult to imagine a worse breach handled worse showing more incompetence than the Equifax Debacle. Not only did they leak as many as 143 million U.S. citizen's private information, but Equifax has managed to make it into a scandal with a Keystone Cops response. What was lost? Some names with social security numbers, birth dates, addresses, and some driver's license numbers. In other words, most of what an identity thief would need to steal your identity. Who is at risk, everyone.

Equifax assumes, as of Sep 11, 2017, an additionally 209,000 people's credit card numbers and 182,000 people's dispute records. were also lost. That is U.S. only. There were also records lost for UK and Canadian residents.

Equifax Incompetence Shocking

Equifax blundered in the following ways:

1. Do not patch your software after an underlying vulnerability is made public
Equifax says, "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638". So, they use Struts and struts had a vulnerability that was properly reported and fixed on March 6, 2017.

2. Do not patch your software even after massive exploits are discovered.
Massive exploits of unpatched Struts systems began on March 9, just 3 days after the patch fixing it was made available. Despite this, Equifax didn't patch their software. They were hacked over two months after the fix preventing the hack was made available.

3. Do not discover the problem quickly
According to Equifax, the breach occurred from Mid-May through July 2017, so for over 2 months while Equifax remained oblivious. It is hard for security experts to understand how massive amounts of unauthorized data could be sent from a system for a long time without the security system setting off alarm bells.

4. Delay telling people until you get your publicity firm in place.
Equifax waited over 5 weeks to make its public announcement. They claim they discovered it on July 29 but waited until September 7 to disclose it. It should have been announced within 48 hours, preferably within 24.

5. Completely blow the consumer mitigation program
The mitigation website was a poorly secured WordPress installation that:
  • Didn't indicate that the site was Equifax. I was sent to a site for another company I hadn't heard of.
  • Required more private information than I wanted to provide particularly to a company I didn't know using less than enterprise security for no reason I could determine.
  • Results to the question of whether you were affected appeared random. Different results were given to the same information. Phony information for non-existent people with false social security numbers often returned that they might be affected and should sign up for their security monitoring.
  • Was overwhelmed and went down. It frequently asked people to come back in a few weeks.
  • At first claimed that if we took their 1 year trial we were giving up our right to sue them (this was rescinded after a justified uproar).
  • The security certificate for the site was not registered so it appeared likely to be a phishing scam (this was later fixed).
  • The mitigation was to offer to do credit monitoring for 1 year (on a breach that will last a lifetime), using a company owned by them and automatically renewing for a fee after the first year.
  • The current mitigation website seems to work:
6. Have major executives sell stock before the disclosure.
Three executives sold $1.8 million in stock within a few days of the breach being discovered.

Conclusion

I would not trust their credit monitoring service. I don't want to give them more information. I don't want to have to hassle with them to stop their automatic renewal of their "service" to protect against the damage they inflicted.

I setup security freezes with all four major credit bureaus. That process is outlined here. I also setup a fraud alert as described here.

--

Further reading




Date: October 2017


Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

 
 
  Please direct questions/suggestions about website to the webmaster