EQUIFAX KNEW OF SECURITY FLAW FOR HALF A YEAR AND DID NOTHING
The news about Equifax and the major data breach just gets worse and worse. As the story continues to evolve, it is ever clearer that Equifax did no due diligence to address the security issue. This makes their delay in informing the public all the worse and a disgrace. Equifax was informed of the security hole and did nothing for six months.
EQUIFAX ONLY FIXED VULNERABILITY AFTER MASSIVE SCALE HACK, WAITED 41 DAYS TO INFORM PUBLIC OF BREACH
To flesh it out, we now know that Equifax was warned about a vulnerability in its publicly viewable infrastructure that would allow almost anyone to access the data. Based on our clearer understanding, it looks quite clear that they took no action and did nothing. This means that Equifax only patched the hole after the data was stolen. They then sat on the situation and waited another 41 days after discovering the issue to then inform the public. That is the definition of a travesty and an abrogation of Equifax’s basic responsibility.
QUESTIONS NOW THAT BREACH WAS FAR LARGER IN SCALE, POSSIBLE THAT SEVERAL BREACHES OCCURRED
This new and incendiary information was first reported last week by Motherboard, which had dialogue with the security researcher who first discovered the vulnerability and consequently reviewed evidence of their find. The new revelation now raises new questions about the breadth of the exposure, the site says, and also further suggests that more than one hacking group has possibly access to the data.
The researcher has requested anonymity and media has not yet independently confirmed the findings. After discovering the vulnerable Equifax website, Motherboard reports, the researcher quickly realized that it provided broad access to the personal data of millions upon millions of Americans—names, dates of birth, social security numbers, and more. This will quite likely snowball as an expanding scandal.
BREACH INVOLVED A SIMPLE SEARCH, AND MILLIONS OF PRIVATE ACCOUNTS APPEARED INSTANTLY
“All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app,” the anonymous researcher reportedly said.
The degree of Equifax’s clusterf%$!k is well documented already. Adding more credence to the researcher’s information, previous analysis of Equifax’s infrastructure had revealed a sprawling network of still-unsecured servers.
Further, Equifax’s former CEO Richard Smith—who “retired” the breach came to light—then admitted to Congress that the company failed to patch a critical Apache Struts vulnerability, one that the Department of Homeland Security had previously warned the company about months before the attack.
TIME FOR EQUIFAX TO RECEIVE THE CORPORATE PINK SLIP? A DANGER TO CONSUMERS AND THE MARKET?
Spinning desperately, Equifax has attempted to pin the blame for the epic screw up on a single employee; however, it is crystal clear that the extent of the breach is simply too extensive for any one person to blame. In fact, the idea that a single employee could have been tasked with securing the agency’s wealth of personal data is, on its own merits, an admission of incompetence.
Further, the company’s response to the breach has in itself been a total disaster of almost equal proportions—from first launching a website that makes it easier to phish customers to then redirecting victims to a malware-laden site. This latest news only adds to the mountain of errors, a further qualification that it might be best at this point if Equifax were simply no longer allowed to exist as it is an ongoing hazard to the public.
Unsurprisingly, Equifax did not respond to a request for comment on these latest developments.