Equifax spill latest nail in privacy coffin
Hack of personal data won’t be the last massive data breach
As details emerge of the massive spill of personal, sensitive information on 143 million people, mostly in the United States, at Equifax it’s hard to come to any other conclusion than that the company didn’t have the technical competence to hold the data.
First, the hackers didn’t have to work very hard to siphon off the credit reporting company’s databases.
They were able to use an easily exploitable vulnerability in a framework called Apache Struts, that is used to build web apps.
By easy I mean the attackers were able to issue system commands to the Equifax server remotely without anyone noticing, thanks to the software bug.
That bug had security vendors and systems administrators in full panic mode at the beginning of March, because bad people were already using it all over the internet.
Equifax claims it saw the reports about the bug and started patching their computers against it.
That’s a strange statement because at the same time, Equifax says they didn’t spot until the last day of July this
The hackers didn’t have to work very hard to siphon off the credit reporting company’s databases.
year that their systems had been broken into using that same vulnerability.
Oh, and whoever rummaged through their servers did so for a month and a half prior to the break-in being discovered.
After the hack was revealed, Equifax managed to shoot itself in the other foot by mishandling the very feature that was meant to protect people’s credit records and personal details from being accessed by random people.
Its credit freeze mechanism used date and time stamps as personal identification numbers for applicants. Such PINs are easy to guess and Equifax had to scramble to change them to more random ones.
Victims, regulators and politicians are up in arms about the huge data breach and understandably so: among other things, the information stolen can be abused for identity theft which can ruin people’s lives.
People already worried about the May-July data breach won’t be happy to hear there was an earlier hack in March this year that we’re still waiting for the full details on.
There’s no doubt that Equifax will suffer consequences for the hack.
Its chief information and security officers have left, and lawyers are circling Equifax smelling lucrative class action lawsuits.
That’s ambulance at the bottom of the cliff stuff which is little use to people whose private information is now traded on the dark web for profit.
Equifax won’t be the last massive data breach either. I’ve been told to expect details in less than a week of another leak that will make Equifax look tiny.
It’s a safe bet the new hack will be down to an obvious technical fumble that should never have happened, but which did. We can’t really protect ourselves against that.
IT company Sun Microsystems is gone but co-founder Scott McNealy was right when in 1999 he said “you have zero privacy anyway; get over it”.
I don’t think McNealy imagined an immediate future where people’s privacy is at the mercy of incompetents running increasingly powerful technology though.