China's To Blame For The Equifax Hack. But It Shouldn't Let Equifax, Or US Regulators, Off The Hook.

from the plenty-of-blame-to-go-around dept

The Department of Justice this morning formally announced that it has identified the Chinese government as the culprit behind the historic Equifax hack. If you've forgotten, the 2017 hack involved hackers making off with the personal financial data of more than 147 million Americans. Those victims were then forced to stumble through an embarrassing FTC settlement that promised them all manner of financial compensation that mysteriously evaporated once they went to collect it.

According to the FTC's press release and the indictment (pdf), the four Chinese government employees responsible for the hack were all members of the People’s Liberation Army's 54th Research Institute, an extension of the Chinese military. The four exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal to first gain access to Equifax's systems, then ran more than 9,000 queries before managing to offload both consumer financial data and "proprietary Equifax info" (mostly related to databases) to a Dutch server.

In a statement, Equifax was happy to see the onus shifted entirely onto the backs of the Chinese:

"Cybercrime is one of the greatest threats facing our nation today, and it is an ongoing battle that every company will continue to face as attackers grow more sophisticated. Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult. Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced firsthand."

That rhetoric was mirrored in the DOJ's announcement and Bill Barr's speech, which repeatedly framed the entire Equifax saga as largely a victory for U.S. national security:

"The size and scope of this investigation — affecting nearly half of the U.S. population, demonstrates the importance of the FBI’s mission and our enduring partnerships with the Justice Department and the U.S. Attorney’s Office. This is not the end of our investigation; to all who seek to disrupt the safety, security and confidence of the global citizenry in this digitally connected world, this is a day of reckoning."

Except there are a few things both Equifax and Bill Barr forget to mention. One, the vulnerability that allowed the hackers to gain access to this data was known about by Equifax months before the attack and the company did nothing about it. Two, that this data wouldn't be available to steal if companies like Equifax hadn't made an industry out of collecting this sort of data -- without consumer consent and with no way for consumers to opt out -- in the process creating such a delicious target. A target they then failed to adequately secure and protect.

So yes, while it's certainly great we've identified the hackers (who'll never see the inside of a jail cell), this entire mess could have been avoided.

A few lawmakers, like Senator Mark Warner, were quick to applaud the investigation while highlighting how it shouldn't distract from Equifax's failures:

"The indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack,” Senator Mark Warner said in a statement provided to Motherboard. “A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care – and face any consequences that arise from that failure."

Another thing neither Equifax or Bill Barr likely want to highlight is that the penalty for Equifax -- and the FTC settlement for consumers -- was little more than a cruel joke. While the $575 million FTC settlement was bandied about for being a "record" deal, like most hack/breaches, the final penalty was a far cry from the money made from collecting and selling access to this data for decades. And the consumer "compensation" aspect of the deal involved both useless "free" credit reporting software and $125 cash payouts that mysteriously disappeared when victims went to collect them, adding insult to injury.

A lack of any meaningful US privacy law for the internet era means there's repeatedly no real punishment for companies that fail to secure the vast troves of data they're now collecting on your every waking moment. Nor is there any real compensation for consumers who may not have wanted this data collected, stored, and sold to every nitwit with a nickel. There are so many points of failure here -- from corporations that treat privacy and security as an afterthought to captured regulators too feckless to do anything about it -- that focusing too extensively on national security risks us learning absolutely nothing from the experience.

Filed Under: china, cybersecurity, data breach, doj, security, william barr
Companies: equifax


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    bob, 10 Feb 2020 @ 10:59am

    As a creditor to the U.S., China just wanted to verify people were trying to pay their debts.

    /s

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Feb 2020 @ 11:32am

    Two, that this data wouldn't be available to steal if companies like Equifax hadn't made an industry out of collecting this sort of data

    Karl, copying is not theft!

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 10 Feb 2020 @ 12:12pm

    "a victory for U.S. national security"

    We have secured the doors on the barn that burned 24 months ago.
    These doors are very secure to keep out the nationstate hackers, even if the access is still admin 12345.

    This is BS.
    This company screwed tons of people & got off with hardly a wrist slap, while the victims will end up spending untold thousands to try to undo the damage & then the added bonus of paying to get the records these assholes keep corrected to remove the errors they help open the door to.

    reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 11 Feb 2020 @ 5:45am

      Re:

      "This company screwed tons of people & got off with hardly a wrist slap..."

      The same way AIG and a number of banks made it a business to lend fity times more money than they had assets to cover back in 2008, almost sinking the US economy completely as a result.

      If the industry and business model is considered too big to fail, the wrist slap is all that's on the table. There's plenty of reasons why US politicians should be very very cautious about frightening too many cornerstones in the jenga tower of the fiscal system.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Feb 2020 @ 12:16pm

    So yes, while it's certainly great we've identified the hackers (who'll never see the inside of a jail cell)

    Now that we know who they are, we could mail them a picture of the inside of a jail cell. If you want to be thorough, we could post the picture alongside every article listing their names, so that if they ever search the Internet for their own names, they'll be likely to find it and see it.

    Of course, they'll probably never search for their own names. They're too busy searching to see which of the stolen identities will be most lucrative.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Feb 2020 @ 12:35pm

    The ongoing, daily Equifax hack is not a mystery to people who understand the issue.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 10 Feb 2020 @ 1:14pm

    Not long ago..

    It was Supposed to be illegal to use the Social security number for anything Except certain uses.
    And the credit corps ran over this with a Fully laden Dump truck.

    Then there is a strange thought of 3 corps doing this for years, and only 1 gets hit?

    575 million divided by 147 million...~ $4..WOW, what a return on a failure. No wonder international corps love the USA. How many other nations would be this nice?? In the past, China has Chopped Corporate heads off..REALLY.

    Wasnt it about that same time that Sony, had the servers in Brazil HIT HARD?? Terabytes of data?? And no one is saying anything about that.. And how it had to take Days to Download that amount of data, and no one caught it.

    Automated system Monitoring is FRICKING STUPID.. When it dont monitor that someone is online an extended time, and Downloading a HUGE amount of data. what are the Odds that these corps software worked to give a warning, but there was NO ONE THERE to see the warnings?? Lets cut corners.. we dont need Enough people to do that job, its boring. Lets cut it down 98%. We dont have to pay Top dollar for this job they can do it remote from home, in their spare time, at 1/4 the wage.

    Anyone want this job? Sysop or admin and Corp policy kills the wages and work hours..??

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Feb 2020 @ 2:30pm

      Re: Not long ago..

      It's not just credit corporations. Try getting any kind of insurance without surrendering your SSN.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Feb 2020 @ 6:21pm

      Re: Not long ago..

      Privacy is impossible to protect at scale.

      reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 11 Feb 2020 @ 5:50am

      Re: Not long ago..

      "Anyone want this job? Sysop or admin and Corp policy kills the wages and work hours..??"

      Not unless we can include the Abigail Oath in the official job description and plan.

      reply to this | link to this | view in chronology ]

  • identicon
    AricTheRed, 10 Feb 2020 @ 2:09pm

    What should happen is...

    The employees at Equifax that were responsible for the lack of security should probbly be included in the charges as accomplices.

    They, as indicated above, are actually complicit. The "Hack" could not have happend or been as sucessful, or gone undetected for so long if they were not.

    reply to this | link to this | view in chronology ]

    • icon
      Khym Chanur (profile), 10 Feb 2020 @ 3:03pm

      Re: What should happen is...

      Those employees might have told management and/or executives about the vulnerabilities but were ignored because fixing the problems would cost money. They could have tried going whistleblower, but given the slap on the wrist Equifax got that probably wouldn't have gone well for them.

      reply to this | link to this | view in chronology ]

      • identicon
        AricTheRed, 10 Feb 2020 @ 6:54pm

        Re: Re: What should happen is...

        Sorry to have to be explicit here.

        I’m referring to the ASS HATS that made the decisions to leave vulnerabilities in place not the grunts that carry out their bidding.

        But thanks for pointing out my lackadaisical effort at concise communication in this instance.

        reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 11 Feb 2020 @ 5:54am

      Re: What should happen is...

      "The employees at Equifax that were responsible for the lack of security should probbly be included in the charges as accomplices. "

      Those responsible for security probably told management, time and time again that the system wasn't secure and all the risks inherent.

      And then they were ignored.

      Or worse still, there were no such employees in the first place and equifax relied exclusively on the default security of a pre-canned database setup bought from the lowest bidder, with outsourced "tech support" whose access to the system was restricted to resetting lost passwords.

      reply to this | link to this | view in chronology ]

  • identicon
    Glenn, 10 Feb 2020 @ 2:34pm

    I'll wait for corroboration from a credible source...

    reply to this | link to this | view in chronology ]

  • icon
    freakanatcha (profile), 10 Feb 2020 @ 3:44pm

    Sure fire way to stop this

    Start holding c-level execs criminally liable for inaction and watch how quickly these problems get cleaned up.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Feb 2020 @ 6:26am

    On the other hand

    Assuming the China is really behind this, confirmation would be nice.

    Which is worse, China getting this data or Organized Crime getting the data?

    I condemn this like most of us. However, is China really interested in robbing our bank accounts, or ruining our lives if we don't pay up. Organized Crime is.

    I agree that severe punishment for C-level's will help solve this, but I rest a little less uneasy hoping that ONLY China was behind this.

    reply to this | link to this | view in chronology ]

  • identicon
    Huawei-wawawawaaaaa, 11 Feb 2020 @ 8:29am

    Payback is a batch job.

    Remember this? "NSA hackz all the Huawei routerz with impunity."

    As usual, guess who started this fight(the USA-ul suspects)

    And really, I mean-you cant blame the PLA for the actions of a few "individuals" whose credit scores could impact China's national security, cuz, that's a conspiracy theorysort of like the way the University of Minnesota framed Richard Liu as a rapist.

    Even with proof of innocence, the fakerape conspiracy theorists are still dragging that story through the rumor mills.

    http://www.startribune.com/chinese-billionaire-richard-liu-will-not-be-charged-with-rape-says -hennepin-county-attorney/503341712/

    reply to this | link to this | view in chronology ]

    • identicon
      bob, 11 Feb 2020 @ 9:33am

      Re:

      Its not so much that the PLA will steal identities the bigger concern is the espionage and blackmail that can result.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Feb 2020 @ 11:13am

        Re: Re:

        Cyber terrorism including and al qaeda or similar attacks are the problem.

        reply to this | link to this | view in chronology ]

        • identicon
          Threat Assessment office, 12 Feb 2020 @ 9:47am

          Re: Re: Re:um, nope

          The Threat Assessment Industry and mouthpieces for organized criminals who work in the security industry (like ATAP) and then, Law Enforcement Intelligence Units, and Infragard, augmented by community policing is behind most/all of the so-called domestic terrorism, and that Is IS was a western intelligence agency creation is more fact than fiction.

          Al Qeada had almost no serious cyber threat capacity.

          reply to this | link to this | view in chronology ]

      • identicon
        Over Rated, 12 Feb 2020 @ 10:09am

        Re: Re:espionage and blackmail

        Too late to worry about that, as so much of this went on already, between 2001-today, as NSA/Mi5-6/Etalphabet was doing the exact same thing, but primarily spying on US/FVEYs citizens,

        You know, cuz, totalitarianism is somehow what the "other guys" do, right?

        China, if anything, is aware that it is just keeping up with the Joneses in this regards, and being rather polite about it I think.

        The real threat actors are/ is the dual loyalty of US and Israeli private contractors, with a foot inside and outside of agencies, and fed by the NSA-FVEY whole capture pipeline, and acting on one hand as advisors/tech providers to both US and Chinese military, and on the other with an uncertain endgame.

        But without a doubt, blackmail and compromise operations are rampant no matter where you look.

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.