Equifax Security Breach Is A Complete Disaster… And Will Almost Certainly Get Worse
from the hang-on... dept
Okay, chances are you’ve already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven’t, you need to pay more attention to the news. I won’t get into all the details of what happened here, but I want to follow a few threads:
First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it’s not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was…) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it’s set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user — “Edelman” — the name of a big PR firm.
Not surprisingly, it didn’t take long for various security tools to warn that the site wasn’t safe.
Said site is now unsurprisingly being flagged as suspicious by OpenDNS (and probably others) ???????????? pic.twitter.com/JZOIgSQpRo
— John Kelly (@mrjohnkelly73) September 8, 2017
Google have now marked the Equifax breach notification SSN check as phishing. pic.twitter.com/zb2dDQEwip
— Kevin Beaumont (@GossiTheDog) September 8, 2017
And, when Equifax pushed people to its own “TrustedID” program to supposedly check to see if you were a victim of its own failures… it just started telling everyone yes no matter what info they put in:
Just wow. If you enter "Test" and "123456" on Equifax's hack checker page, it says your data has been breached. pic.twitter.com/cTjTs7Frjv
— Zack Whittaker (@zackwhittaker) September 8, 2017
So, yeah, what the hell did Equifax do during those six weeks it had to prepare? Oh, well, a few of its top execs used the delay to sell off stock, which may put them in even more hot water (of the criminal variety). Also, just days before it revealed the breach, and long after it knew of it, the company was talking up how admired its CEO is. This is literally the last tweet from Equifax prior to tweeting about the breach (screenshotted, because who knows how long it’ll last):
I can’t see any scenario under which Smith keeps his job. And it seems likely that many other execs are going to be in trouble as well. Beyond the possible insider trading above, there’s already scrutiny on its corporate VP and Chief Legal Officer, John J. Kelley, who made $2.8 million last year and runs the company’s “security, compliance, and privacy” efforts.
And despite six weeks to prepare for this, the following was Equifax’s non-apology:
We apologize to our consumers and business customers for the concern and frustration this causes.
That’s a classic non-apology. It’s not apologizing for its own actions. It’s not apologizing for the total mess it’s created. It’s just apologizing if you’re “concerned and frustrated.”
Oh, and did we mention that the very morning of the day that Equifax announced the breach, it tweeted out about a newsletter it published about how “safeguarding valuable customer data is critical.” Really (again, screenshotted in case this disappears):
What the fuck, Equifax? Should we even mention that Equifax has been a key lobbying force against data breach bills? Those bills have some problems… but, really, it’s not a good look following all of this.
And while there was some concern that signing up to check to see if you were a victim (again: look, you probably were…) would force you out of being a part of any class action lawsuit, that’s since been “clarified” to not apply to any class action lawsuits over the breach. And you better believe that the company is going to be facing one heck of a class action lawsuit (a bunch are being filed, but they’ll likely be consolidated).
That’s all background of course. What I really wanted to discuss is how this will almost certainly get worse before it gets better. More than twelve years ago, I wrote that every major data breach is later revealed to be worse than initially reported on. This has held true for years and years. The initial analysis almost always underplays how serious the leak is or how much data is leaked. Stay tuned, because there’s a very high likelihood we’ll find out that either more people were impacted or that more sensitive information is out there.
And that should be a major concern, because what we already know here is stunning. As Michael Hiltzik at the LA Times noted, this is the mother lode of data if you want to commit all sorts of fraud:
The data now at large includes names, Social Security numbers, birthdates, addresses and driver?s license numbers, all of which can be used fraudulently to validate the identity of someone trying to open a bank or credit account in another person?s name.
In some cases, Equifax says, the security questions and answers used on some websites to verify users? identity may also have been exposed. Having that information in hand would allow hackers to change their targets? passwords and other account settings.
Other data breaches may have been bigger in terms of total accounts impacted, but it’s hard to see how any data breach could have been this damaging. For over a decade, we’ve pointed out that credit bureaus like Equifax are collecting way too much data, with zero transparency. In fact, back in 2005, we wrote about Equifax itself saying that it was “unconstitutional and un-American” to let people know what kind of information Equifax had on them. The amount of data that Equifax and the other credit bureaus hold is staggering — and as this event shows, they don’t seem to have much of a clue about how to actually secure it.
At some point, we need to rethink why we’ve given Equifax, Experian and TransUnion so much power over so much of our everyday lives. You can’t opt-out. They collect most of their data without us knowing and in secret. You can’t avoid them. And now we know that at least one of them doesn’t know how to secure that data.