On September 7th, 2017 it was reported that credit reporting agency Equifax was breached. The incident is estimated to effect roughly 140 million Americans. It is alleged that Social Security Numbers, along with other PII (personally identifiable information) were sucked up in the penetration of the company. [Source]
Brain Krebs, investigative journalist of all things cyber crime related, has called Equifax’s handing of their breach a dumpster fire. [Source] It cannot be farther from the truth. This article will highlight some of the issues this breach is causing as well as some of my personal thoughts in the following sections. We’ll start with the discovery and notification of the hack.
The Notification The intrusion was discovered by Equifax on July 29th, 2017 and it was estimated that the attackers were in the system as early as mid May. [Source] The breach was finally made public a little more than a month later since the discovery. With the type of sensitive data that Equifax maintains, personally, it’s grossly negligent and irresponsible to wait a month to let customers know their personal information is at risk. This breach will have long lasting effects on people’s lives. But thankfully, Equifax is offering free credit monitoring, right?
The Fine Print of Monitoring and Useless Tool I have issues with their free credit monitoring. First being it’s only for one year which means an attacker can just wait things out until the monitoring expires and start using your SSN. If this was Target, or Home Depot, and they were popped again with credit card numbers being stolen, a year or two of free credit monitoring may be acceptable. During that period you get a new credit/debit card and there may be some bumps in the road for you, but nothing as severe as the Equifax breach. Unlike getting a new credit card issued to you, getting a new Social Security Number is not a simple task and, according to literature from the Social Security Administration, it may not be the silver bullet solution to stop everything. From the SSA [Source]:
With regards to the fine print, Krebs, as well as several of his readers, pointed out that accepting their terms for credit monitoring also meant that the applicant waives his/her right to sue Equifax [Source]. Equifax then later updated their FAQ section stating that, for this incident, consumers are not waiving their rights to sue the organization. It also appears that their terms were also updated to reflect this.
Now, before you can sign up for Equifax’s credit monitoring service, you have to use their tool to see if you’ve been affected. There are accounts of people saying entering the name of Test and the last six digits of a social security number as 123456 return a positive result, which I can confirm in the screen shot below. I’ve also tried a common last name with the same last six digits. This also resulted in a positive result of being impacted by the breach. Someone then suggested I try something nonsensical, so I entered in some garbage for a last name plus the last six digits of a SSN being 000000. It returned a negative result of being impacted by the breach, but it’s treating the junk name as if it is legitimate. In other words, there is no control in place to say “Hey, this isn’t a real record!” or at the very least “Last name and Last 6 digits do not match.”
How do you trust these results are accurate? What if you typo-ed your last six digits, didn’t realize it, and are told that you’re in the clear? Equifax did not think this through.
The “Test” test
Test result
Garbage test
Garbage test result
Don’t Blame the Vendor As part of the fallout of the breach, Equifax has blamed open source software Apache Struts as the attack vector. [Source] The Apache Struts Project Committee fired back in an article that stated in the first week of September 2017 there was a publicly disclosed vulnerability, which was patched, according to the group. They also made note that since the breach was detected in July, the only way something like this could go unnoticed is if a zero day exploit existed. [Source] A zero day is a vulnerability that the vendor does not know about. This means that Equifax had possibly neglected to patch the install of Struts on their servers for months.
A Call for Accountability and Regulation With companies like Equifax, we entrust them to safeguard our most sensitive data. This is data that impacts if we can get a car loan, a mortgage, or rent an apartment, or file our taxes. Bluntly stated, the breach is severe and may be a mess people are entangled in for years to come. Another question that needs answering is if there are any SSNs of children that were exfiltrated? This means family also need to worry about child identity theft.
There needs to be legal recourse for us when giant organizations retain our protected data such as SSNs, credit card numbers, government identification like drivers licenses, along with other PII like address and birth date. When it comes to my data, or your data, we should not be forced into arbitration as our legal option.
There also needs to be a serious shift in how organizations collect, store, and share our data. How that will look, I do not know. While a meager proposal of requiring users to opt-in to sharing data would be a step in the right direction, what’s the next step? Are there current laws on the books that just aren’t being enforced? Do we need Social Security Numbers to identify us for everything or is there another alternative that would?
File a complaint with your state’s Attorney General about Equifax.
Contact your congressman/congresswoman and push for more consumer protections.
Conclusion As the dust starts to settle, it will be interesting to see how this all plays out. The most important thing is to stay vigilant. Check your financial statements, get your free credit reports, you the tools available to you as the NY State Attorney General suggested.
-B2
Post Script If you do go the route of wanting credit monitoring we have teamed up with LegalShield if you are looking for an option other than Equifax’s offering. Contact us for more information.
