Equifax yet to an­swer im­por­tant ques­tions about hack

Lack of an­swers about breach at credit agency raises ex­perts’ con­cerns

The Washington Post - - POWERPOST - BY CRAIG TIMBERG Ellen Nakashima con­trib­uted to this re­port.

As pres­sure builds on Equifax to ex­plain how criminals hacked into a mas­sive trove of data on 143 mil­lion Amer­i­cans, the list of unan­swered ques­tions is long. But most boil down to three big ones:

No. 1: What mea­sures did Equifax take to pro­tect per­sonal in­for­ma­tion?

No. 2: What mea­sures should Equifax have taken to pro­tect per­sonal in­for­ma­tion?

No. 3: What’s the gap be­tween the an­swers to Ques­tions 1 and 2?

The credit-rat­ing agency has been so stint­ing about in­for­ma­tion on its hack — even af­ter keep­ing the episode se­cret from the pub­lic for six un­ex­plained weeks af­ter de­tect­ing the in­tru­sion — that there’s no way yet to eval­u­ate 1, 2 or es­pe­cially 3 yet.

But no­tably ab­sent from the pub­lic state­ments by Equifax have been key terms such as “en­cryp­tion” or “sys­tem mon­i­tor­ing” or “pen­e­tra­tion test­ing.” All are sta­ples of mod­ern on­line se­cu­rity widely adopted across cor­po­rate Amer­ica and es­pe­cially within the fi­nan­cial ser­vices in­dus­try, given the high de­gree of sen­si­tiv­ity about the in­for­ma­tion it keeps on us all.

Equifax has not re­sponded to re­peated Wash­ing­ton Post re­quests about the na­ture of its se­cu­rity mea­sures and whether any of its data was kept in en­crypted form. The scant in­for­ma­tion that has trick­led out has out­side se­cu­rity ex­perts con­cerned about the scale of the hack and the sen­si­tiv­ity of the data ex­posed, in­clud­ing So­cial Se­cu­rity num­bers, birth dates, home ad­dresses, driver’s li­cense in­for­ma­tion — a vir­tual starter kit for iden­tity theft.

A breach of “143 mil­lion records either sug­gests a very pa­tient, so­phis­ti­cated hacker or an in­cred­i­bly weak se­cu­rity sys­tem,” said Matthew Green, a Johns Hop­kins Univer­sity cryp­tog­ra­pher and se­cu­rity ex­pert.

The un­com­monly stern and de­tailed let­ter sent Mon­day by Sens. Or­rin G. Hatch (R-Utah) and Ron Wy­den (D-Ore.) — the chair­man of the Se­nate Fi­nance Com­mit­tee and its rank­ing Demo­crat — drove at ex­actly those is­sues, warn­ing about the hack’s po­ten­tial to cre­ate mas­sive costs to con­sumers tar­geted by iden­tity thieves and “ir­repara­ble harm” to govern­ment pro­grams that might be in­un­dated with fraud­u­lent re­quests for re­funds or ben­e­fits.

“En­crypt­ing this data is ob­vi­ously an es­sen­tial first step, but it’s not a silver bul­let,” Wy­den said in a state­ment to The Post. “Com­pa­nies that hold Amer­i­cans’ most sen­si­tive per­sonal data have to make se­cu­rity the top pri­or­ity at ev­ery sin­gle stage. That means hav­ing the staff and re­sources to pro­tect our per­sonal in­for­ma­tion, and reg­u­larly con­duct­ing se­cu­rity au­dits, patch­ing soft­ware and quickly fix­ing flaws dis­cov­ered by out­side ex­perts.”

The White House ap­pears to be on a sim­i­lar track. Pres­i­dent Trump’s home­land se­cu­rity and coun­tert­er­ror­ism ad­viser, Thomas Bossert, sum­moned the chief ex­ec­u­tives of na­tion’s two other lead­ing credit agen­cies, Ex­pe­rian and Tran­sUnion, on Mon­day to dis­cuss whether their sys­tems are hard­ened against an at­tack sim­i­lar to the one that struck Equifax, ac­cord­ing to peo­ple fa­mil­iar with the meet­ing who spoke on the con­di­tion of anonymity to dis­cuss the pri­vate talks. (Nei­ther com­pany replied to re­quests for com­ment from The Post on Tues­day.)

There also are com­mit­tee hear­ings and in­ves­ti­ga­tions brew­ing on Capi­tol Hill, as well as sev­eral class-ac­tion suits filed on be­half of the hack’s vic­tims. Taken to­gether, the po­lit­i­cal and le­gal ac­tion re­lated to this breach has clouded the fu­ture of Equifax, an At­lantabased com­pany that col­lects and an­a­lyzes the data of 820 mil­lion con­sumers and 91 mil­lion busi­nesses in 24 coun­tries.

The com­pany has seen its stock fall about 20 per­cent since an­nounc­ing the breach on Thurs­day. It dis­cov­ered the in­tru­sion, which the com­pany be­lieves started in May, on July 29 — a de­lay that also has up­set some law­mak­ers who have long pushed for more prompt and ful­some re­port­ing about hacks.

“Th­ese are very com­pli­cated is­sues, and we ex­pect to be en­gag­ing with reg­u­la­tors and leg­is­la­tors in the fu­ture,” Equifax said in a state­ment pro­vided Tues­day. “Se­na­tors Hatch and Wy­den raise many top­ics in their let­ter on be­half of the U.S. Se­nate Fi­nance Com­mit­tee, and we plan to be re­spon­sive in help­ing them to gather the in­for­ma­tion the Com­mit­tee needs about this sit­u­a­tion.”

The mas­sive breach by the Chi­nese govern­ment of the Of­fice of Per­son­nel Man­age­ment data­bases should have served as a wakeup call about the se­cu­rity risks of sen­si­tive per­sonal in­for­ma­tion, said An­thony J. Fer­rante, head of cy­ber­se­cu­rity and se­nior man­ag­ing di­rec­tor for FTI Con­sult­ing and a for­mer White House cy­ber­se­cu­rity of­fi­cial in the Obama and Trump ad­min­is­tra­tions.

“The OPM breach should have taught us a very valu­able les­son — that if en­ti­ties are go­ing to store this type of sen­si­tive per­sonal data, they have to take the nec­es­sary steps to pro­tect it,” Fer­rante said.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.