![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
Let's talk about the Equifax hack
It is indeed a doozy, perhaps the largest data privacy leak in history. Equifax has been collecting information on people for decades, and they do it without our express permission. But at the same time, they are used for credit scores and to generate bank decisions for our getting loans and such. Yet I never signed a contract with Equifax allowing them to collect information on me.
And they have, through zero fault of my own, personally screwed me over.
A couple of years ago my wife and I decided to shop car insurance. Our current insurer was doing some corporate shenanigans that we didn't care for, and it should have been possible to shave some bucks off our premiums, and it never hurts to shop. I called the car club AAA, we ran through my information, and they told me that they couldn't take me because I had three accidents on my record. I'm accident-free. Equifax had taken three accidents OF MY FATHER, whose name is Andrew Donald, and put them on my record, where my name is Donald Wayne. We lived at the same address some years back, but I was living in New Mexico at the time of the accidents and have never owned a Buick. As it happens, we were born in the same month, but not on the day and clearly not in the same year. No two digits in our birth date or year are the same. There's no reason to conflate us and put the accidents on to my record, except for pure sloppy processes.
So I have a pretty poor opinion of these credit bureaus.
What happened to Equifax is pretty simple. They built their data framework on an open source software package called Apache Struts. Like virtually all software packages, bugs are found and patches are issued. A particularly big problem with Struts was first patched in March, but the intruders were in Equifax's system from mid-March through July - approx 2.5 months. Thus it is perfectly reasonable for Equifax to blame open source software for its breach. [sarcasm off] Struts is a framework for Java programs to run either on servers or web browsers, and after updating the framework you have to recompile literally hundreds of programs, and doing that would be a tremendous PITA, but it MUST be done, otherwise shit like this happens. Apparently some management at Equifax didn't like to pay overtime, and now they have to cope with a tremendous amount of shit.
In some late-breaking news from this afternoon, Equifax's Chief Information Officer and Chief Security Officer are both "retiring", proving that for once, shit started at the top. In "there is occasionally some justice, or perhaps there will be" news, the Federal Trade Commission is investigating the breech. It will be interesting to find out what they learn, assuming they ever issue a report. I wonder if Congress will hold public hearings. The breech is being compared by some news agencies to Enron. According to the Reuter's story, "Shares of Equifax fell 2.4 percent on Thursday and trading volume hit a record high. The shares have lost 32 percent since the company disclosed the hack on Sept. 7.
Senate Democratic leader Chuck Schumer compared Equifax to Enron, the U.S. energy company that filed for bankruptcy in 2001 after revelations of a widespread accounting fraud."
But you see, this is not just a problem for people in the USA. Equifax holds information for people in Canada and Mexico. And Argentine, and possibly other Latin American countries. And the BBC is reporting that 400,000 UKians have information that was compromised in the theft, but their information exposure was minimal and should not lead to identity theft. Well, we'll see about that! In Argentine, apparently Equifax's software used the highly-[in]secure account/password combination of admin/admin.
This is one of my favorite stories, and it may be behind a paywall since it's from the Wall Street Journal. Here's the Slashdot summary:
Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies. That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans. Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.
The title of the story is "Equifax Lobbied for Easier Regulation Before Data Breach", it's by Michael Rapoport and AnnaMaria Andriotis. f you do a little searching, you might be able to find a copy.
Now, the breech itself is extremely bad. If you were compromised, and there's a very good chance that you were, then the information that was stolen includes: your full name, social security number, previous addresses, list of jobs, all sorts of amazing things. Information about you that never changes. Information about you that you use to apply for credit cards, loans, mortgages, JOBS. The best thing you can do is to approach all four credit bureaus and put a FREEZE, not monitor, but FREEZE your credit. That means that no credit can be taken out in your name without postal correspondence going back and forth with your house. No credit reports can be pulled. It's about the best that you can do. Brian Krebs has an excellent post that he has to pull out a few times every year to discuss this. Definitely worth a read. Me? I'm unemployed. Banks would have to be idiots to issue credit under my information, still, I plan on freezing my accounts.
But that's not the worst.
For reasons unknown, Equifax had credit card transaction information, 200,000 transactions worth dating back to last November, sitting on their servers, apparently unencrypted. Massive violation of PCI compliance rules.
And who knows, there may be more yet to come.
I won't bother providing links to the stories about your surrendering your right to sue if you signed up for their monitoring service, that's been rescinded. There were at least two class-action law suits in development, along with a couple of States Attorneys General beginning investigation.
One more thing to mention: an op ed piece by Bruce Schneier, a very well-known and respected expert on encryption and privacy. He has some facts wrong, I think he wasn't as well-versed on the scope of the breech as perhaps he should have been when he wrote it. But at the beginning of the piece he talks about how the public are not customers of Equifax, we are what is being sold, and we have no say in the matter. And there are THOUSANDS of data brokers out there that we can't come close to naming all of them.
Equifax's feet will be in the fire for some time, I imagine.
And they have, through zero fault of my own, personally screwed me over.
A couple of years ago my wife and I decided to shop car insurance. Our current insurer was doing some corporate shenanigans that we didn't care for, and it should have been possible to shave some bucks off our premiums, and it never hurts to shop. I called the car club AAA, we ran through my information, and they told me that they couldn't take me because I had three accidents on my record. I'm accident-free. Equifax had taken three accidents OF MY FATHER, whose name is Andrew Donald, and put them on my record, where my name is Donald Wayne. We lived at the same address some years back, but I was living in New Mexico at the time of the accidents and have never owned a Buick. As it happens, we were born in the same month, but not on the day and clearly not in the same year. No two digits in our birth date or year are the same. There's no reason to conflate us and put the accidents on to my record, except for pure sloppy processes.
So I have a pretty poor opinion of these credit bureaus.
What happened to Equifax is pretty simple. They built their data framework on an open source software package called Apache Struts. Like virtually all software packages, bugs are found and patches are issued. A particularly big problem with Struts was first patched in March, but the intruders were in Equifax's system from mid-March through July - approx 2.5 months. Thus it is perfectly reasonable for Equifax to blame open source software for its breach. [sarcasm off] Struts is a framework for Java programs to run either on servers or web browsers, and after updating the framework you have to recompile literally hundreds of programs, and doing that would be a tremendous PITA, but it MUST be done, otherwise shit like this happens. Apparently some management at Equifax didn't like to pay overtime, and now they have to cope with a tremendous amount of shit.
In some late-breaking news from this afternoon, Equifax's Chief Information Officer and Chief Security Officer are both "retiring", proving that for once, shit started at the top. In "there is occasionally some justice, or perhaps there will be" news, the Federal Trade Commission is investigating the breech. It will be interesting to find out what they learn, assuming they ever issue a report. I wonder if Congress will hold public hearings. The breech is being compared by some news agencies to Enron. According to the Reuter's story, "Shares of Equifax fell 2.4 percent on Thursday and trading volume hit a record high. The shares have lost 32 percent since the company disclosed the hack on Sept. 7.
Senate Democratic leader Chuck Schumer compared Equifax to Enron, the U.S. energy company that filed for bankruptcy in 2001 after revelations of a widespread accounting fraud."
But you see, this is not just a problem for people in the USA. Equifax holds information for people in Canada and Mexico. And Argentine, and possibly other Latin American countries. And the BBC is reporting that 400,000 UKians have information that was compromised in the theft, but their information exposure was minimal and should not lead to identity theft. Well, we'll see about that! In Argentine, apparently Equifax's software used the highly-[in]secure account/password combination of admin/admin.
This is one of my favorite stories, and it may be behind a paywall since it's from the Wall Street Journal. Here's the Slashdot summary:
Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies. That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans. Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.
The title of the story is "Equifax Lobbied for Easier Regulation Before Data Breach", it's by Michael Rapoport and AnnaMaria Andriotis. f you do a little searching, you might be able to find a copy.
Now, the breech itself is extremely bad. If you were compromised, and there's a very good chance that you were, then the information that was stolen includes: your full name, social security number, previous addresses, list of jobs, all sorts of amazing things. Information about you that never changes. Information about you that you use to apply for credit cards, loans, mortgages, JOBS. The best thing you can do is to approach all four credit bureaus and put a FREEZE, not monitor, but FREEZE your credit. That means that no credit can be taken out in your name without postal correspondence going back and forth with your house. No credit reports can be pulled. It's about the best that you can do. Brian Krebs has an excellent post that he has to pull out a few times every year to discuss this. Definitely worth a read. Me? I'm unemployed. Banks would have to be idiots to issue credit under my information, still, I plan on freezing my accounts.
But that's not the worst.
For reasons unknown, Equifax had credit card transaction information, 200,000 transactions worth dating back to last November, sitting on their servers, apparently unencrypted. Massive violation of PCI compliance rules.
And who knows, there may be more yet to come.
I won't bother providing links to the stories about your surrendering your right to sue if you signed up for their monitoring service, that's been rescinded. There were at least two class-action law suits in development, along with a couple of States Attorneys General beginning investigation.
One more thing to mention: an op ed piece by Bruce Schneier, a very well-known and respected expert on encryption and privacy. He has some facts wrong, I think he wasn't as well-versed on the scope of the breech as perhaps he should have been when he wrote it. But at the beginning of the piece he talks about how the public are not customers of Equifax, we are what is being sold, and we have no say in the matter. And there are THOUSANDS of data brokers out there that we can't come close to naming all of them.
Equifax's feet will be in the fire for some time, I imagine.