Equifax is expected to pay up to $700 million in their 2017 breach that affected roughly 150 million people, per the Federal Trade Commission(FTC). That equates to roughly $5.00 per person, the equivalent of a cup of coffee from Starbucks, if they pay the full $700 million. Personally, we don’t think this goes far enough, since people’s lives are dependent on a credit score such as employment eligibility, housing, and access to loans, for starters.
The deal also requires more changes to how Equifax handles private user data. For example, the company will have to adjust its information security protocols, including annual assessments of security risks and receiving the board’s certification attesting that the company has complied with the FTC’s order. [Source]
Let’s talk about the adjustments to the security protocols. In an article we wrote shortly after the breach, Equifax blamed open source software vendor Apache for a vulnerability in their Struts platform. However based on the timing of everything, that we mentioned in our article, one can draw the conclusion that Equifax simply did not address the Struts vulnerability in an appropriate manner. Then there is Equifax’s Argentina property where they had the username and password to one of their employee portal tools as “admin” “admin.” This seems like willful negligence [Source]. And what exactly will the annual assessment of security risks look like? Will it be a vulnerability scan run against their assets, or is there going to be a comprehensive pentest? Are they going to change their patch management process to ensure that doing a complex update with something like Apache Struts doesn’t fall through the cracks? Are they going to ensure that platforms they use don’t have some of the most common default passwords known? Will this settlement also change how the other credit reporting bureaus do business? How do we as citizens hold Equifax, TransUnion, and Experian accountable with our Social Security Numbers, drivers licenses, and other sensitive data? As you can see, we have more questions than answers. Which leads us to the next question.
Where is the stolen data? As of the beginning of this year it hasn’t surfaced yet and intelligence experts are led to believe this is a nation-state espionage operation. Or, a more simple explanation is, those who have it, are laying low, as noted in CNBC’s February 2019 article[Source]. It’s important to hold accountable those who possess this data because this type of breach will affect people’s lives for many years to come.
If you had the opportunity to ask Equifax and the FTC questions, what would you want to know? Fill out our contact form because we’re curious to what your thoughts are.