Equifax: 5th Largest Data Breach Ever and Their Troubles Don't End There

Negligence, terrible communications, bad crisis management … someone's head is gonna roll.

Equifax Breach - someone's head is gonna roll.jpg

By Mark Gibbs


As of writing this article on Thursday, September 7th, 2017, yet another corporate mega-breach has been revealed and this time it's the credit-reporting agency, Equifax. The company claims the breach may have compromised the financial data of about 143,000,000 (yes, that's "143 million") U.S. consumers although if other past serious cyber-breaches are anything to go by, that total may well go up in the days to come. Equifax states:

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.

So, let's assume that the groups of 209,000 and 182,000 don't overlap; this begs the question of what was the data of the other 142,609,000 individuals that was revealed? I'm guessing it wasn't their astrological signs or preferred movie genres, but let's move on ...

On the website that Equifax set up (incredibly quickly) to deal with the breach, the company claims that there was "No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases" which can only be viewed as a serious attempt at deflection as it really doesn't matter where the data was stored, the central issue is that the data of 143 million consumers was stolen.

But how bad is this breach in real terms? We really don't know yet but it could well prove to be extremely bad, not just because the data involved provides very detailed individual profiles making identity theft extremely easy, but because it's unlikely Equifax will do more than the minimum for those consumers who are affected. On the Equifax Insecurity Security website consumers are told "How to enroll in complimentary identity theft protection and credit file monitoring services and how to find out if your personal information may have been impacted." This signup is a clumsy process. Here's the first page of the enrollment:

Image01.png

Once you enter your data, you're taken to this page:

Image02.png

MORE ON THE EQUIFAX BREACH
AN ITSP AUDIO NEWS PODCAST

The "you have to remember to come back 'cause we won't remind you" is surprisingly arrogant considering that it was Equifax that lost our records. So, if you should be told your data has been compromised and then you wind up having to clear up the mess, how much will you thank Equifax for enrolling you into "TrustedID Premier?" Will Equifax compensate you in any meaningful way for losing your personal data that they acquired and aggregated and sold without your permission? I think we can all guess the answer to these question with a resounding "not at all."

A friend of mine went through this "enrollment" process and was immediately told that his data hadn't been compromised. This was not what happened to me so I guess that I might not be as lucky as he is (curse you, Dave).

The intrusion was first discovered on July 29th, {forty days [but see the Update below] } before it was announced and—I'm not making this up—according to a Bloomberg article, three of Equifax's senior executives sold off shares worth some $1.8 million three days after the breach or, to put that another way, [37 days] before the world learned of it:

Regulatory filings show that […] Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.

A spokesdroid for the company stated that the three executives had no knowledge of the breach when they sold their shares which surprises me because they are all senior staff members who, you would think, would be immediately informed of such a potentially brand-damaging event. In fact, not informing the CFO immediately implies that internal communications along with disaster planning and crisis management in Equifax are poor if not non-existent.

Kenneth Geers, senior research scientist at Comodo, NATO Cyber Centre ambassador, and former NSA/NCIS analyst commented: "The fact that the Trustedid.com site isn’t yet working means that Equifax was simply not ready for the level of responsibility that possession of this quantity and quality of digital information requires. It is alarming that, despite past cybersecurity compromises, Equifax today apparently has no chief information security officer (CISO) to talk to."

Equifax, my friend, is a company that finds itself to be in a seriously deep hole: Not only have they been subject to the fifth largest known breach ever* which, given the sensitivity of the data they handle, implies a stunning lack of due care, they've also demonstrated they have really terrible internal communications and seriously deficient crisis planning and management. Is it any surprise that as of writing, shares of Equifax have fallen just over 13% to $124.00 in after-hours trading?


8-Sep 2017 3:36pm PT Update:
According to the Equifax Cybersecurity Incident & Important Consumer Information:

Over what period of time did the unauthorized access occur?
Based on our investigation, the unauthorized access occurred from mid-May through July 2017.
Do the TrustedID Terms of Use limit my options related to the cyber security incident?
The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.

The first answer reveals that the breach was actually [underway]  for more like 100 days, the latter clarifies the issue of whether the incident can become the subject of a class action suit and the answer is "yes."

 

8-Sep 2017 10:46am PT Update:
An article on Ars Technica points out:

What's more, the website www.equifaxsecurity2017.com, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

Read the article, there's even more technical incompetence.

 

 

* The Top Ten Cyber-Breaches:

  1. Yahoo! - December 2016 - 1 billion
  2. Yahoo! - September 2016 - 500 million
  3. MySpace - May 2016 - 360 million
  4. EBay - May 2014 - 145 million
  5. Equifax - September 2017 - 143 million
  6. Target - November 2013 - 110 million
  7. LinkedIn - May 2016 - 100 million
  8. AOL - October 2007 - 92 million
  9. JP Morgan Chase - October 2013 - 83 million
  10. Anthem - February 2015 - 80 million

About Mark Gibbs

Mark is the author of four best-selling computer networking book titles and was a syndicated journalist and columnist for 24 years writing for Network World, Computer World, and other IDG publications. 

More About Mark