China's To Blame For The Equifax Hack. But It Shouldn't Let Equifax, Or US Regulators, Off The Hook.

from the plenty-of-blame-to-go-around dept

The Department of Justice this morning formally announced that it has identified the Chinese government as the culprit behind the historic Equifax hack. If you’ve forgotten, the 2017 hack involved hackers making off with the personal financial data of more than 147 million Americans. Those victims were then forced to stumble through an embarrassing FTC settlement that promised them all manner of financial compensation that mysteriously evaporated once they went to collect it.

According to the FTC’s press release and the indictment (pdf), the four Chinese government employees responsible for the hack were all members of the People?s Liberation Army’s 54th Research Institute, an extension of the Chinese military. The four exploited a vulnerability in the Apache Struts Web Framework software used by Equifax?s online dispute portal to first gain access to Equifax’s systems, then ran more than 9,000 queries before managing to offload both consumer financial data and “proprietary Equifax info” (mostly related to databases) to a Dutch server.

In a statement, Equifax was happy to see the onus shifted entirely onto the backs of the Chinese:

“Cybercrime is one of the greatest threats facing our nation today, and it is an ongoing battle that every company will continue to face as attackers grow more sophisticated. Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult. Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced firsthand.”

That rhetoric was mirrored in the DOJ’s announcement and Bill Barr’s speech, which repeatedly framed the entire Equifax saga as largely a victory for U.S. national security:

“The size and scope of this investigation ? affecting nearly half of the U.S. population, demonstrates the importance of the FBI?s mission and our enduring partnerships with the Justice Department and the U.S. Attorney?s Office. This is not the end of our investigation; to all who seek to disrupt the safety, security and confidence of the global citizenry in this digitally connected world, this is a day of reckoning.”

Except there are a few things both Equifax and Bill Barr forget to mention. One, the vulnerability that allowed the hackers to gain access to this data was known about by Equifax months before the attack and the company did nothing about it. Two, that this data wouldn’t be available to steal if companies like Equifax hadn’t made an industry out of collecting this sort of data — without consumer consent and with no way for consumers to opt out — in the process creating such a delicious target. A target they then failed to adequately secure and protect.

So yes, while it’s certainly great we’ve identified the hackers (who’ll never see the inside of a jail cell), this entire mess could have been avoided.

A few lawmakers, like Senator Mark Warner, were quick to applaud the investigation while highlighting how it shouldn’t distract from Equifax’s failures:

“The indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax?s systems and response to the hack,? Senator Mark Warner said in a statement provided to Motherboard. ?A company in the business of collecting and retaining massive amounts of Americans? sensitive personal information must act with the utmost care ? and face any consequences that arise from that failure.”

Another thing neither Equifax or Bill Barr likely want to highlight is that the penalty for Equifax — and the FTC settlement for consumers — was little more than a cruel joke. While the $575 million FTC settlement was bandied about for being a “record” deal, like most hack/breaches, the final penalty was a far cry from the money made from collecting and selling access to this data for decades. And the consumer “compensation” aspect of the deal involved both useless “free” credit reporting software and $125 cash payouts that mysteriously disappeared when victims went to collect them, adding insult to injury.

A lack of any meaningful US privacy law for the internet era means there’s repeatedly no real punishment for companies that fail to secure the vast troves of data they’re now collecting on your every waking moment. Nor is there any real compensation for consumers who may not have wanted this data collected, stored, and sold to every nitwit with a nickel. There are so many points of failure here — from corporations that treat privacy and security as an afterthought to captured regulators too feckless to do anything about it — that focusing too extensively on national security risks us learning absolutely nothing from the experience.

Filed Under: , , , , ,
Companies: equifax

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “China's To Blame For The Equifax Hack. But It Shouldn't Let Equifax, Or US Regulators, Off The Hook.”

Subscribe: RSS Leave a comment
This comment has been deemed insightful by the community.
That Anonymous Coward (profile) says:

"a victory for U.S. national security"

We have secured the doors on the barn that burned 24 months ago.
These doors are very secure to keep out the nationstate hackers, even if the access is still admin 12345.

This is BS.
This company screwed tons of people & got off with hardly a wrist slap, while the victims will end up spending untold thousands to try to undo the damage & then the added bonus of paying to get the records these assholes keep corrected to remove the errors they help open the door to.

Scary Devil Monastery (profile) says:

Re: Re:

"This company screwed tons of people & got off with hardly a wrist slap…"

The same way AIG and a number of banks made it a business to lend fity times more money than they had assets to cover back in 2008, almost sinking the US economy completely as a result.

If the industry and business model is considered too big to fail, the wrist slap is all that’s on the table. There’s plenty of reasons why US politicians should be very very cautious about frightening too many cornerstones in the jenga tower of the fiscal system.

Anonymous Coward says:

So yes, while it’s certainly great we’ve identified the hackers (who’ll never see the inside of a jail cell)

Now that we know who they are, we could mail them a picture of the inside of a jail cell. If you want to be thorough, we could post the picture alongside every article listing their names, so that if they ever search the Internet for their own names, they’ll be likely to find it and see it.

Of course, they’ll probably never search for their own names. They’re too busy searching to see which of the stolen identities will be most lucrative.

ECA (profile) says:

Not long ago..

It was Supposed to be illegal to use the Social security number for anything Except certain uses.
And the credit corps ran over this with a Fully laden Dump truck.

Then there is a strange thought of 3 corps doing this for years, and only 1 gets hit?

575 million divided by 147 million…~ $4..WOW, what a return on a failure. No wonder international corps love the USA. How many other nations would be this nice?? In the past, China has Chopped Corporate heads off..REALLY.

Wasnt it about that same time that Sony, had the servers in Brazil HIT HARD?? Terabytes of data?? And no one is saying anything about that.. And how it had to take Days to Download that amount of data, and no one caught it.

Automated system Monitoring is FRICKING STUPID.. When it dont monitor that someone is online an extended time, and Downloading a HUGE amount of data. what are the Odds that these corps software worked to give a warning, but there was NO ONE THERE to see the warnings?? Lets cut corners.. we dont need Enough people to do that job, its boring. Lets cut it down 98%. We dont have to pay Top dollar for this job they can do it remote from home, in their spare time, at 1/4 the wage.

Anyone want this job? Sysop or admin and Corp policy kills the wages and work hours..??

Scary Devil Monastery (profile) says:

Re: What should happen is...

"The employees at Equifax that were responsible for the lack of security should probbly be included in the charges as accomplices. "

Those responsible for security probably told management, time and time again that the system wasn’t secure and all the risks inherent.

And then they were ignored.

Or worse still, there were no such employees in the first place and equifax relied exclusively on the default security of a pre-canned database setup bought from the lowest bidder, with outsourced "tech support" whose access to the system was restricted to resetting lost passwords.

Anonymous Coward says:

On the other hand

Assuming the China is really behind this, confirmation would be nice.

Which is worse, China getting this data or Organized Crime getting the data?

I condemn this like most of us. However, is China really interested in robbing our bank accounts, or ruining our lives if we don’t pay up. Organized Crime is.

I agree that severe punishment for C-level’s will help solve this, but I rest a little less uneasy hoping that ONLY China was behind this.

Huawei-wawawawaaaaa says:

Payback is a batch job.

Remember this? "NSA hackz all the Huawei routerz with impunity."

As usual, guess who started this fight(the USA-ul suspects)

And really, I mean-you cant blame the PLA for the actions of a few "individuals" whose credit scores could impact China’s national security, cuz, that’s a conspiracy theorysort of like the way the University of Minnesota framed Richard Liu as a rapist.

Even with proof of innocence, the fakerape conspiracy theorists are still dragging that story through the rumor mills.

Threat Assessment office says:

Re: Re: Re: Re:um, nope

The Threat Assessment Industry and mouthpieces for organized criminals who work in the security industry (like ATAP) and then, Law Enforcement Intelligence Units, and Infragard, augmented by community policing is behind most/all of the so-called domestic terrorism, and that Is IS was a western intelligence agency creation is more fact than fiction.

Al Qeada had almost no serious cyber threat capacity.

Over Rated says:

Re: Re: Re:espionage and blackmail

Too late to worry about that, as so much of this went on already, between 2001-today, as NSA/Mi5-6/Etalphabet was doing the exact same thing, but primarily spying on US/FVEYs citizens,

You know, cuz, totalitarianism is somehow what the "other guys" do, right?

China, if anything, is aware that it is just keeping up with the Joneses in this regards, and being rather polite about it I think.

The real threat actors are/ is the dual loyalty of US and Israeli private contractors, with a foot inside and outside of agencies, and fed by the NSA-FVEY whole capture pipeline, and acting on one hand as advisors/tech providers to both US and Chinese military, and on the other with an uncertain endgame.

But without a doubt, blackmail and compromise operations are rampant no matter where you look.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...