Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Was Warned (vice.com)

Posted by msmash on from the security-woes dept.

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack that later compromised the personal data of more than 145 million Americans, Motherboard has learned. Six months after the researcher first notified the company about the vulnerability, Equifax patched it -- but only after the massive breach that made headlines had already taken place, according to Equifax's own timeline. This revelation opens the possibility that more than one group of hackers broke into the company. And, more importantly, it raises new questions about Equifax's own security practices, and whether the company took the right precautions and heeded warnings of serious vulnerabilities before its disastrous hack. Late last year, a security researcher started looking into some of the servers and websites that Equifax had on the internet. In just a few hours, after scanning the company's public-facing infrastructure, the researcher couldn't believe what they had found. One particular website allowed them to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence, the researcher told Motherboard.

7 of 86 comments (clear)

  1. Regardless of any warning by Lucas123 · · Score: 5, Insightful

    Equifax is a company that collects sensitive financial information without permission from consumers and shares it with financial services companies. It's cybersecurity should be the physical equivalent of Ft. Knox. This multi-billion company has no excuse for allowing such a flagrant breach of its data.

    1. Re:Regardless of any warning by Anonymous Coward · · Score: 2, Insightful

      I don't really care about if they were warned or not. I care about tearing apart the existing social security number as an authentication mechanism. Equifax has destroyed that for us, we need to deal with the reality that it needs to be changed out with something better ASAP. (Whether it's a smart card, or just a longer number system with new numbers or something. It's been due for a revamp for decades. The problem with revamps is that typically they allow legacy systems to exist. We need to kill it with fire the whole 123-45-6789 numbering scheme.)

    2. Re:Regardless of any warning by AvitarX · · Score: 5, Insightful

      Yeah, but the only way to cripple Equafax would be to make it toxic to do business with them.

      The real message would be class action against the banks that hand over the information to places with poorly vetted security.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  2. Enron them by mi · · Score: 1, Insightful

    They ought to be on the hook for damages to every person affected — with a meaningful minimum even for those of us, who can not demonstrate actual harm. Just because my details are now accessible to anyone anonymously.

    Yes, it will bankrupt them, and that'd be a good thing. Have them go the way of Enron and Ashley Whatshername...

    --
    In Soviet Washington the swamp drains you.
  3. Re:Linux in Action! by MightyYar · · Score: 5, Insightful

    It doesn't matter what you use if you don't patch it.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  4. This happens when IT departments get too big! by ErichTheRed · · Score: 5, Insightful

    I've worked in big companies for a long time and I'm not surprised. The IT security people are usually in-house, but I wouldn't be shocked if they were offshore or totally outsourced. When the IT security team is contacted by a "researcher" telling them somehting's vulnerable, big IT departments will take forever to put anything into place. First the security team has to run it up the flagpole to their management, then their management has a meeting to decide what course of action to recommend to the server team. The server team (who also may be offshored or outsourced, which introduces more delays) will be told that they have a vulnerability to patch. Application owners affected will need to be contacted to determine when a good time to patch will be. Worse still, if it's a shared service like a service bus or core application component, you have to coordinate that among all the systems' users. Only then can a change management notice be raised, then discussed at the Change Approval Board meeting, then scheduled. At any point, this can also be delayed by the application owner saying they can't take the downtime.

    I'm sure all the DevOps kids will say "dude, just put it in the cloud and CI/CD it...we release 20 times a day!" Legacy financial systems are a different animal. You might be able to release the web front-ends to a system like that 20 times a day, but big company IT's complexity and culture make it hard to apply this to the core.

  5. Speak for yourself by sjbe · · Score: 1, Insightful

    that's what we voted for. so get over it.

    "We"? Speak for yourself. I didn't vote for Trump and I'm certainly not about to "get over it" until he is removed from office.