Equifax Was Warned

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack that later compromised the personal data of more than 145 million Americans, Motherboard has learned. Six months after the researcher first notified the company about the vulnerability, Equifax patched it -- but only after the massive breach that made headlines had already taken place, according to Equifax's own timeline. This revelation opens the possibility that more than one group of hackers broke into the company. And, more importantly, it raises new questions about Equifax's own security practices, and whether the company took the right precautions and heeded warnings of serious vulnerabilities before its disastrous hack. Late last year, a security researcher started looking into some of the servers and websites that Equifax had on the internet. In just a few hours, after scanning the company's public-facing infrastructure, the researcher couldn't believe what they had found. One particular website allowed them to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence, the researcher told Motherboard.

Regardless of any warning

[Lucas123]

Equifax is a company that collects sensitive financial information without permission from consumers and shares it with financial services companies. It's cybersecurity should be the physical equivalent of Ft. Knox. This multi-billion company has no excuse for allowing such a flagrant breach of its data.

Re:Regardless of any warning

[Kenja]

No worries, Trump & Co repealed the legislation that would let us file class action lawsuits against them. So Equifax will be fine.

Re:Regardless of any warning

I don't really care about if they were warned or not. I care about tearing apart the existing social security number as an authentication mechanism. Equifax has destroyed that for us, we need to deal with the reality that it needs to be changed out with something better ASAP. (Whether it's a smart card, or just a longer number system with new numbers or something. It's been due for a revamp for decades. The problem with revamps is that typically they allow legacy systems to exist. We need to kill it with fire the whole 123-45-6789 numbering scheme.)

Re:Regardless of any warning

[atrimtab]

Except most of the harmed never signed any agreement that includes FORCED ARBITRATION in their relations with Equifax, because the harmed are NOT Equifax customers. That means that all effected US citizens who are not Equifax customers CAN sue directly or via class action.

The issue will be showing that you were damaged specifically by Equifax's negligence. They will likely defend themselves via all the reports of the similar losses of the same and similar personal data via other corporations also piss poor security practices.

It will be very hard for any specific individual or class to show losses specific to Equifax. Sure , you may be able to show identity theft and losses because of it, but was that specifically because of Equifax? Good luck proving that.

Equifax certainly does deserve the "Corporate Death Penalty." But there are many ways for them to avoid it, followed by a fresh coat of paint and likely a new name. Just watch....

Today there is no such thing as a responsible corporate citizen. There probably never was.

Re:Regardless of any warning

[AvitarX]

Yeah, but the only way to cripple Equafax would be to make it toxic to do business with them.

The real message would be class action against the banks that hand over the information to places with poorly vetted security.

Re:Regardless of any warning

[saltydogdesign]

This is a classic example of perverse incentives. Equifax gets paid when people need fraud protection (directly and indirectly), so the more cavalierly they handle consumer data, the better off they are.

Re: Regardless of any warning

[evilRhino]

Obama put the ability to sue the banks in place, rather than forced arbitration. It is the GOP rolling back consumer protection.

Re:Regardless of any warning

[markjhood2003]

Another way to cripple Equifax is to freeze our credit reports, which denies Equifax the income it makes from charging corporations for our data.

Smells

[cwsumner]

This smells of Class Action Lawsuit !

Or more than one...

Re:Linux in Action!

[omnichad]

Apache Struts had plenty of quality control. The bugs in question were patched LONG before any breach. The fact that it's open source is what enabled a third-party security company to discover and report the security vulnerability so quickly.

It's a double-edged sword, since not patching your systems means that vulnerabilities are published for all to see. But the patch was available.

Re:Linux in Action!

[MightyYar]

It doesn't matter what you use if you don't patch it.

A certificate system...

[ctilsie242]

There is a way to have enough data for a transaction, but no more. A certificate based system, where one's ID card just validates the cardholder is whom they claim to be, and is a repository for certificates. For example, a certificate showing the person is over age 21. That way, they can go to a bar in the US, and the cert provides what the bar needs to know to comply with the law. The bar doesn't need names, ages, or anything else. Just that the bearer is over 21.

This could be extended to a lot of other things, and to reduce fraud, short-lived certs should be used. For example, a cert that lasts 1-2 days that is done by a police department certifying someone has no entries on their RAP sheet, and has no pending charges. This way, stuff can be done, but relevant info can be sequestered in small, scattered databases, so a breach would be of limited damage.

This happens when IT departments get too big!

[ErichTheRed]

I've worked in big companies for a long time and I'm not surprised. The IT security people are usually in-house, but I wouldn't be shocked if they were offshore or totally outsourced. When the IT security team is contacted by a "researcher" telling them somehting's vulnerable, big IT departments will take forever to put anything into place. First the security team has to run it up the flagpole to their management, then their management has a meeting to decide what course of action to recommend to the server team. The server team (who also may be offshored or outsourced, which introduces more delays) will be told that they have a vulnerability to patch. Application owners affected will need to be contacted to determine when a good time to patch will be. Worse still, if it's a shared service like a service bus or core application component, you have to coordinate that among all the systems' users. Only then can a change management notice be raised, then discussed at the Change Approval Board meeting, then scheduled. At any point, this can also be delayed by the application owner saying they can't take the downtime.

I'm sure all the DevOps kids will say "dude, just put it in the cloud and CI/CD it...we release 20 times a day!" Legacy financial systems are a different animal. You might be able to release the web front-ends to a system like that 20 times a day, but big company IT's complexity and culture make it hard to apply this to the core.

Re:This happens when IT departments get too big!

[Lodragandraoidh]

You hit upon the real problem: Companies put more focus on the bottom line, than doing what is right for their customers. Hence operating with minimal IT workforce, and resorting to off-shoring and other cost saving methods that directly impact their ability to deliver quality code, and more importantly keep it updated to avoid zero day exploits (as studies have found most zero day exploits take 6 months to a year to find and a fix to be coded, yet the average time for systems in the wild to be updated is 3 to 5 years). IT should know every piece of code that is placed in the network and its source.

So, what's the fix, aside from reforming corporation and stock market rules? Corporations need to know that if they don't take security seriously there will be bad outcomes for them. Lawsuits are one mechanism for this. Another is through customer choices - boycott companies that don't take security seriously. For corporations that actually want to make changes to deal with this correctly, IT culture needs to change in the following ways:

• * IT should know every piece of code that is placed in the network and its source. This means having an absolutely clear understanding of every library, framework, and any non-standard custom extensions deployed. This will serve two purposes. On the one hand it will ensure that IT is being proactive about patching to avoid zero day exploits. On the other hand it will drive simplification and good software engineering; another way of saying this is KISS (Keep It Simple, Stupid). The more complex systems you put into place - and more importantly the more that complexity comes from code that is generated outside of your own organization, the more likely there are for bugs (potentially exploitable zero days) to exist within the overall code base.

  * IT costs need to be viewed as a cost of doing business, rather than something that can be dispensed with or minimized. To do security right takes resources, and this has increased relevance not only with breaches that we've seen happening, but also to meet corporate requirements from a legal and regulatory perspective (e.g. Sarbanes-Oxley). Costs can be managed, if companies are willing to invest in building automation to help them manage what they've got - and doing that first item above (weeding out overly complex designs).

  * IT needs to also change their culture from what I call a 'shrink-wrapped' software mentality - where software is thrown over the wall to operations and the developers walk away and never work on it again, to a culture that values long term developer ownership and maintenance of systems they have created in partnership with operational teams. This is related to something else that I see a lot of in IT: brain drain. Basically, due to nomadic existence of developers in an organization either through rotation or vendor outsourcing, long term knowledge of integration between existing systems and new development is lost every year to 18 months - breaking the ability of the company to quickly patch or otherwise modify systems in response to security issues or simply the need for responses to competitive forces.

We could transform IT from a necessary burden to a much needed and appreciated partner in business. But, that will require the decisiveness on the part of CTOs, and CEOs to dedicate resources to that specific mission.

What was the warning?

[140Mandak262Jamuna]

If the warning was anything other than, "Danger CEO your stock options are under peril", they would pay no attention to it.

Re:Linux in Action!

[UnknowingFool]

That's why I prefer commercial software with well established quality control.

And what commercial software is that? It's not like all commercial software has great quality control. Have read this >month's security bulletins from the likes of Oracle, Microsoft, etc. Also in the case of Struts, it had been patched months prior to the intrusion.

Re:Complete and total incompetence!

[WheezyJoe]

You're angry and you should be. But this rabbit-hole is a lot deeper than some guys at Equifax - in short, Equifax doesn't owe you, the consumer, anything. They aren't charged with protecting you, like the way a cop has a duty to protect you from a criminal, or a soldier is charged not to aid and comfort the enemy. Equifax has all their data because banks, whom you entrust with your money and from whom you borrow money, give it to them. They store it, perform analytics on it, and sell it back to the banks so they can decide whether you are a good credit risk or not.

That's it. And it's worked so well for making it easy to get a car loan approved that they seem like they've been around forever, like a State or Federal Agency that has responsibilities codified in law. But it ain't so. Equifax is just a corporation, selling a service, a B2B service at that. They don't owe anything to anyone except their shareholders and their customers, who ain't you. If they get sued by normal-people, that's what they're gonna say and it's gonna stick. Worse, the data breach doesn't make their data on you less reliable to the banks for looking you up to determine whether to give you a credit card, so they can just keep on cookin'.

So, what's all this mean? Why is your SSN and personal info now in the hands of the Russians, the North Koreans, the Albanian Mob or whoever else bought a piece? The banks you use, to buy stuff you can't afford to pay for in cash, sold you and every other American out, years, years ago, so that we could enjoy things like credit cards and 0% interest for the first six months on that brand new Chevy. We the People, in the form of our elected government, let this slide, slide, slide, even as the data they accumulated got larger and larger, because it made consumer-credit so damn easy, and keep the economy hummin'. Your granddad had to beg and plead and give up a pint of blood to get a loan at shark prices. These days, we're pre-approved at 1.9% because Equifax and its ilk have stored, for the banks' consumption, everything there is about whether you're a good credit risk.

Security was never their top concern. Data volume, the accuracy that results therefrom, and speed of delivery is what they sell. If someone copies/steals their data, so what? As far as banks are concerned, the data is out of date the moment it's stolen... as long as Equifax keeps collecting, their data is valuable to banks. Machine keeps turning, profits keep coming in. If someone had corrupted their data, made bad credit risks look like good ones, then Equifax might have had a problem, because their data wouldn't jibe with competitors TransUnion and Experian, and banks won't pay. But to have it stolen one time? Meh, so long as they keep collecting more and issuing credit scores.

So, nobody's going to hang from a yard-arm for this. Equifax's duty is to their customers (banks), and the stealing of their data is an inconvenience only insofar as banks have to cover for a lot of new, fraudulent transaction attempts made with the stolen data, yet to be seen. You, OTOH, Mr. Consumer? You're on your own. Somewhere in the fine print of those papers you signed to get your Visa card is the clause that permitted your bank to sell your data to Equifax, TransUnion, Experian, and whoever else they need to tell the good credit risks from the bad ones. Don't like it? Quit credit and banks and use only cash - or vote for politicians who are really big on regulating the banking industry (hint: they're the ones without any campaign funds).

Deregulation for the win

[l0n3s0m3phr34k]

Further deregulation will lead to even MORE piss-poor security situations like this. Our lawmakers are, at this point, willfully negligent to the point of being criminally culpable. This same situation happens again and again, at various private and government places, and yet nothing is really done. Oh, a law or two might be passed that says "unauthorized access is illegal" yet nothing dictating that any real effort must be done to stop said unauthorized access. Even if we passed a law to force some level of IT security, we lack the backbone to actually do any enforcement.

The US doesn't even have a current Cabinet-level person doing anything related to security in a real way. "Giuliani Security & Safety" does NOT count. Rob Joyce has TWO full time jobs, one as the "White House Cybersecurity Coordinator" and another as "acting deputy homeland security adviser to the President". While those may have overlapping duties, it's obvious that cybersecurity needs to be it's own separate gig. I would even go so far as to say we need a "Commercial Cybersecurity Czar" to separate out the government vs public, as these are quite different in scope and approach.

However, seeing the kind of people Trumps likes to appoint, I would expect someone who thinks cybersecurity is a "hoax" and believes that corporations will be forced to secure themselves "if only allowed to by the invisible hand of the free market"; who would then nullify HIPAA and censure / fire / dismantle the part of NIST that writes the 800 series.

Re:Of course they were warned

[l0n3s0m3phr34k]

Equifax's performance goes far beyond this. A totally unsecured web page, that allowed ANYONE to retrieve information. This isn't cost-cutting, it is willful criminal negligence.