NO SHORTAGE OF LESSONS FROM EQUIFAX DATA BREACH

Photo courtesy of Associated Press

143 million Americans were affected by the Equifax hack.

Earlier this month, the consumer credit reporting agency Equifax announced a devastating data breach that leaked the personal information of 143 million Americans. This information included 209,000 credit card numbers and millions of social security numbers, along with driver’s license numbers, addresses, and phone numbers. In early March, an industry group called the Apache Foundation revealed a critical vulnerability in Equifax’s system, along with a corresponding security update patch. Department-level negligence at Equifax enabled hackers to exploit a well-known and clearly fixable security flaw months later. 

The company released a website for people to check if their information had been compromised, and declared itself willing to offer free security services to prevent future identity theft. Such compensation appeared satisfactory (albeit, rather minimal), until information regarding the company’s unreliable documenting system, exploitative nature, and further security failure was revealed.

While the Equifax website enables checking for information leaks by entering a last name and the final six digits of a social security number, numerous users discovered that inputting bogus names (such as ‘test’) and fake numbers (such as 123456 or 000000) still produced results. Meanwhile, the “free” security services are actually a one-year trial, after which Equifax will automatically deduct charges unless the user cancels her subscription.

Furthermore, district attorneys have discovered clauses on Equifax’s Terms & Conditions stating that an individual waives her right to participate in any class-action law suits upon agreeing to participate in the “free” security program — essentially a company protecting its profits under the guise of remittance.

Worsening matters further, Equifax’s under qualified security team chose to host the company’s compensation services under a completely new website domain, making the site vulnerable to phishing. To reaffirm this apparent vulnerability, software engineer Nick Sweeting designed a fake website to impersonate Equifax’s own, and it gathered more than 200,000 hits. Later, Equifax’s official Twitter account  directed worried consumers to Sweeting’s website — not once, not twice, but three times.

On the political side, another decision that has come under fire is the company announcement of the breach a whole six whole after discovering it: for reference, European Union law imposes a 72-hour window following discovery during which a public announcement is mandatory. To Equifax’s credit, however, the U.S. Congress failed in 2015 to pass even a mandatory one-month window, meaning that the company’s actions are legal.

The final cherry on top of the messy cake was dropped earlier this month following the launch of an official FTC investigation into insider-trading allegations. An IT department discovered the breach on July 29, and within a week, Equifax’s Chief Financial Officer, the president of U.S. Information Solutions, and the president of Workforce Solutions sold more than 13,000 company shares for nearly two million dollars. Furthermore, an anonymous trader purchased the option to sell 260,000 shares at $135 per share despite the company’s stock rising to $139 at the time. Top-level executives at Equifax have denied knowledge of that transaction.

In any case, this breach highlights key problems with many large corporations in the U.S. today: insufficient transparency, inadequate accountability, and inexcusable incompetence. Of course, there are also lessons to be learned for citizens: as we enter the era of cyber warfare, situational awareness and proactive defense have become increasingly important. It’s unclear whether such a public, large-scale breach will ultimately lead to  meaningful change in privacy or corporate legislation, but, at this point, there is nothing more that can be done, other than obtaining an updated credit report and closely monitoring changes. Consumers can also consider joining  a class-action lawsuit, though that will take its time to move through the court system.

Let this breach serve as a lesson to companies and citizens alike: information is only as safe as the system protecting it is strong, and, in a world where technology is advancing so rapidly, incompetent humans might just be the weakest link.

Comments are closed.