Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy

Equifax Was Warned (vice.com) 86

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack that later compromised the personal data of more than 145 million Americans, Motherboard has learned. Six months after the researcher first notified the company about the vulnerability, Equifax patched it -- but only after the massive breach that made headlines had already taken place, according to Equifax's own timeline. This revelation opens the possibility that more than one group of hackers broke into the company. And, more importantly, it raises new questions about Equifax's own security practices, and whether the company took the right precautions and heeded warnings of serious vulnerabilities before its disastrous hack. Late last year, a security researcher started looking into some of the servers and websites that Equifax had on the internet. In just a few hours, after scanning the company's public-facing infrastructure, the researcher couldn't believe what they had found. One particular website allowed them to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence, the researcher told Motherboard.
This discussion has been archived. No new comments can be posted.

Equifax Was Warned

Comments Filter:
  • by Lucas123 ( 935744 ) on Thursday October 26, 2017 @11:01AM (#55437449) Homepage
    Equifax is a company that collects sensitive financial information without permission from consumers and shares it with financial services companies. It's cybersecurity should be the physical equivalent of Ft. Knox. This multi-billion company has no excuse for allowing such a flagrant breach of its data.
    • Re: (Score:2, Informative)

      by Kenja ( 541830 )
      No worries, Trump & Co repealed the legislation that would let us file class action lawsuits against them. So Equifax will be fine.
      • by atrimtab ( 247656 ) on Thursday October 26, 2017 @11:23AM (#55437679)

        Except most of the harmed never signed any agreement that includes FORCED ARBITRATION in their relations with Equifax, because the harmed are NOT Equifax customers. That means that all effected US citizens who are not Equifax customers CAN sue directly or via class action.

        The issue will be showing that you were damaged specifically by Equifax's negligence. They will likely defend themselves via all the reports of the similar losses of the same and similar personal data via other corporations also piss poor security practices.

        It will be very hard for any specific individual or class to show losses specific to Equifax. Sure , you may be able to show identity theft and losses because of it, but was that specifically because of Equifax? Good luck proving that.

        Equifax certainly does deserve the "Corporate Death Penalty." But there are many ways for them to avoid it, followed by a fresh coat of paint and likely a new name. Just watch....

        Today there is no such thing as a responsible corporate citizen. There probably never was.

        • by AvitarX ( 172628 ) <me@@@brandywinehundred...org> on Thursday October 26, 2017 @11:39AM (#55437825) Journal

          Yeah, but the only way to cripple Equafax would be to make it toxic to do business with them.

          The real message would be class action against the banks that hand over the information to places with poorly vetted security.

          • Another way to cripple Equifax is to freeze our credit reports, which denies Equifax the income it makes from charging corporations for our data.
        • FINALLY! All of the shit that Equifax has never been able to correct on your file such as the spelling of your first name as an 'alias' or the incorrect zip code of your first apart will finally come in handy! When someone applies for a new student loan under "Hataple from Cleevland California 65108" and is approved, they get full force. This could come in handly especially since they have consistently been the most difficult to correct information. Transunion was the most difficult to get a credit report f
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I don't really care about if they were warned or not. I care about tearing apart the existing social security number as an authentication mechanism. Equifax has destroyed that for us, we need to deal with the reality that it needs to be changed out with something better ASAP. (Whether it's a smart card, or just a longer number system with new numbers or something. It's been due for a revamp for decades. The problem with revamps is that typically they allow legacy systems to exist. We need to kill it with fi

    • by saltydogdesign ( 811417 ) on Thursday October 26, 2017 @11:49AM (#55437911)

      This is a classic example of perverse incentives. Equifax gets paid when people need fraud protection (directly and indirectly), so the more cavalierly they handle consumer data, the better off they are.

      • by msauve ( 701917 )
        Equifax should have been regularly checking freesecuritycheck.com.
      • And this is why Equifax need to be sued and go bankrupt, handing all of its money to people who got their information stolen. It won't be much per person, so it is not even fair for the people, but it will be the only fair measure, as well as an important step for the future.

        Business school will then teach "Security is important, remember the Equifax case ...".

        And yes, I'm aware everyone at Equifax will loose their jobs, but that the kind of decision that need to be made.

    • by gweihir ( 88907 )

      While true. those that messed up will not supper much in the way of consequences. And that is why this thing will continue.

  • Enron them (Score:1, Insightful)

    by mi ( 197448 )

    They ought to be on the hook for damages to every person affected — with a meaningful minimum even for those of us, who can not demonstrate actual harm. Just because my details are now accessible to anyone anonymously.

    Yes, it will bankrupt them, and that'd be a good thing. Have them go the way of Enron and Ashley Whatshername...

    • Have them go the way of Enron and Ashley Whatshername...

      Equifax is a "systemically important financial institution" like AIG, according to FedGov. You are (paradoxically) asking for bailouts, more risky behavior, and creeping fascism [econlib.org].

      • by mi ( 197448 )

        Equifax is a "systemically important financial institution" like AIG, according to FedGov.

        So would've been Enron, if we had this ruinous (and, yes, fascist) concept back then.

        You are (paradoxically) asking for bailouts

        I most certainly am not.

  • This smells of Class Action Lawsuit !

    Or more than one...

  • I think we need private and governmental bodies where people can submit complaints about security vulnerabilities.

    Governmental body: Something like the CFPB but for security and privacy related concerns.

    Private watchdog groups: We also need an org that exists that can be notified whenever a security or privacy vulnerability is reported to a company. Such a group could keep track of info, be designated as a proxy to be provided with updates/responses on when and if a security or privacy vulnerability is be

    • With the system we have, those watchdogs will fall to regulatory capture, and at best, be a rubber-stamping department.

      The only thing that really can break this trend is Europe's GDPR. Time will tell if it actually will get companies to do something about security, or if it winds up being a joke, like SOX (where it was used to jail a guy who ran over his fishing bag limit at its best.) I'm sure BRICS will have similar laws on the books soon, because they want to stick it to US companies, so even that migh

  • This is exactly why such personal information collection should be illegal. Of course there wouldn't be a problem if companies applied proper security mesures, but that's exactly the problem: There will never be appropriate security mesures in place. Ever. Period. No amount of legislation will ever change that. History has shown time and time again that hackers will always win.. The consequences of such information falling into the wrong hands are just too great.

    So until the system is changed in a way that

    • There is a way to have enough data for a transaction, but no more. A certificate based system, where one's ID card just validates the cardholder is whom they claim to be, and is a repository for certificates. For example, a certificate showing the person is over age 21. That way, they can go to a bar in the US, and the cert provides what the bar needs to know to comply with the law. The bar doesn't need names, ages, or anything else. Just that the bearer is over 21.

      This could be extended to a lot of ot

      • by mccrew ( 62494 )

        From a technical point of view, you are of course correct.

        But the sad, unfortunate truth is that even hard core techies haven't been able to do this among ourselves. We could use certificates and PGP (or GPG) to secure our communications, but who in real life actually does that? If we can't do it, how can one expect the increasingly dumbed-down masses to?

        To your point on small, scattered databases: gathering them all into a single point of contact sounds like a business plan that would easily get funded

      • You have proposed a

        (x) technical
        ( ) legislative
        ( ) market-based
        ( ) vigilante

        solution to fighting fraud.

        Specifically, your plan fails to account for:

        (x) people are dicks
        (x) average people won't understand it
        (x) companies will fuck up the implementation
        ( ) Microsoft will not put up with it
        ( ) The police will not put up with it
        ( ) Requires too much cooperation from spammers

        Furthermore, this is what I think about you:

        (x) Sorry dude, but I don't think it would work.
        ( ) This is a stupid idea, and you're a stupid

  • The people responsible for making decisions at Equifax are completely and totally incompetent and/or have a total disregard for the consequences to the people whose data was allowed to remain at risk. So far as I'm concerned there's no yard-arm high enough to hang them all from, and hanging is actually too good for them; they should be drawn, quartered, the pieces convicted, and buried face-down in unmarked shallow graves. If you're getting the idea that this is pissing me off, you are most certainly correc
    • You're angry and you should be. But this rabbit-hole is a lot deeper than some guys at Equifax - in short, Equifax doesn't owe you, the consumer, anything. They aren't charged with protecting you, like the way a cop has a duty to protect you from a criminal, or a soldier is charged not to aid and comfort the enemy. Equifax has all their data because banks, whom you entrust with your money and from whom you borrow money, give it to them. They store it, perform analytics on it, and sell it back to the bank

      • With all due respect, I think that's a bunch of bullshit. There HAS to be something that can be done about this or our entire economy could come crashing down. Legislators, judges, and law enforcement will FIND ways to punish them. If not, then there's no point in living anymore, because then we're just being ass-raped by everyone and what sort of quality of life is that?
        • With all due respect, I think that's a bunch of bullshit. There HAS to be something that can be done about this or our entire economy could come crashing down. Legislators, judges, and law enforcement will FIND ways to punish them.

          With likewise respect, the power is in the legislators. Unless there's a consumer protection law that's been broken, there's little that judges and courts can do short of people just plain suing, such as in a class-action. But in the latter you have to prove harm, prove that Equifax caused the harm, and prove that Equifax had a duty not to cause the harm - and prove all of this to a jury. With Enron, it was easy because $billions were lost in fraud, plain lying about how much money they had, lied about wh

    • Honestly, we want scapegoats, but in this case, we have some semi-reasonable ones. Every CISSP C***P CSISPD* blah blah certified anything security down to Security+ should be stripped of the cert. As the case unravels over the next 5 years, only keep those who were in positions to say something or do something who neglected to do so, with this blight on his or her resume, and every else can try to piece his or her life back together. Honestly, they will be in the same boat as a good portion of the people wh
  • by ErichTheRed ( 39327 ) on Thursday October 26, 2017 @11:34AM (#55437767)

    I've worked in big companies for a long time and I'm not surprised. The IT security people are usually in-house, but I wouldn't be shocked if they were offshore or totally outsourced. When the IT security team is contacted by a "researcher" telling them somehting's vulnerable, big IT departments will take forever to put anything into place. First the security team has to run it up the flagpole to their management, then their management has a meeting to decide what course of action to recommend to the server team. The server team (who also may be offshored or outsourced, which introduces more delays) will be told that they have a vulnerability to patch. Application owners affected will need to be contacted to determine when a good time to patch will be. Worse still, if it's a shared service like a service bus or core application component, you have to coordinate that among all the systems' users. Only then can a change management notice be raised, then discussed at the Change Approval Board meeting, then scheduled. At any point, this can also be delayed by the application owner saying they can't take the downtime.

    I'm sure all the DevOps kids will say "dude, just put it in the cloud and CI/CD it...we release 20 times a day!" Legacy financial systems are a different animal. You might be able to release the web front-ends to a system like that 20 times a day, but big company IT's complexity and culture make it hard to apply this to the core.

    • by Lodragandraoidh ( 639696 ) on Thursday October 26, 2017 @01:14PM (#55438623) Journal

      You hit upon the real problem: Companies put more focus on the bottom line, than doing what is right for their customers. Hence operating with minimal IT workforce, and resorting to off-shoring and other cost saving methods that directly impact their ability to deliver quality code, and more importantly keep it updated to avoid zero day exploits (as studies have found most zero day exploits take 6 months to a year to find and a fix to be coded, yet the average time for systems in the wild to be updated is 3 to 5 years). IT should know every piece of code that is placed in the network and its source.

      So, what's the fix, aside from reforming corporation and stock market rules? Corporations need to know that if they don't take security seriously there will be bad outcomes for them. Lawsuits are one mechanism for this. Another is through customer choices - boycott companies that don't take security seriously. For corporations that actually want to make changes to deal with this correctly, IT culture needs to change in the following ways:

      • * IT should know every piece of code that is placed in the network and its source. This means having an absolutely clear understanding of every library, framework, and any non-standard custom extensions deployed. This will serve two purposes. On the one hand it will ensure that IT is being proactive about patching to avoid zero day exploits. On the other hand it will drive simplification and good software engineering; another way of saying this is KISS (Keep It Simple, Stupid). The more complex systems you put into place - and more importantly the more that complexity comes from code that is generated outside of your own organization, the more likely there are for bugs (potentially exploitable zero days) to exist within the overall code base.

        * IT costs need to be viewed as a cost of doing business, rather than something that can be dispensed with or minimized. To do security right takes resources, and this has increased relevance not only with breaches that we've seen happening, but also to meet corporate requirements from a legal and regulatory perspective (e.g. Sarbanes-Oxley). Costs can be managed, if companies are willing to invest in building automation to help them manage what they've got - and doing that first item above (weeding out overly complex designs).

        * IT needs to also change their culture from what I call a 'shrink-wrapped' software mentality - where software is thrown over the wall to operations and the developers walk away and never work on it again, to a culture that values long term developer ownership and maintenance of systems they have created in partnership with operational teams. This is related to something else that I see a lot of in IT: brain drain. Basically, due to nomadic existence of developers in an organization either through rotation or vendor outsourcing, long term knowledge of integration between existing systems and new development is lost every year to 18 months - breaking the ability of the company to quickly patch or otherwise modify systems in response to security issues or simply the need for responses to competitive forces.

      We could transform IT from a necessary burden to a much needed and appreciated partner in business. But, that will require the decisiveness on the part of CTOs, and CEOs to dedicate resources to that specific mission.

      • You will have to publicly hang a very large number of CxOs before you get ANY of this. In all probability, even a return visit from Mme Guillotine would not bring it about.

        In fact, I can confidently predict the organisations involved will plead "not guilty by reason of corporate insanity" - and that will be extremely difficult to refute.

    • Three points however.
      1) Equifax doesn't have "financial" systems. They are an information broker.
      2) Equifax I don't think have really been around long enough to really have what I would consider "Legacy" systems.
      3) Even if you could consider them either #1 or #2, typically the security and the security vulnerabilities are not going to be located on the systems themselves, but rather how they are connected to the outside world, which also would be neither #1 or #2.

      Disclaimer: I manage a lot of real legacy sy

  • by 140Mandak262Jamuna ( 970587 ) on Thursday October 26, 2017 @11:37AM (#55437791) Journal
    If the warning was anything other than, "Danger CEO your stock options are under peril", they would pay no attention to it.
  • Seemingly never mentioned in this or other major (OPM) hacks - could the hackers have altered the data, even changed timestamps/logs to cover their tracks?
    Could it be proved either way? Speaking of a real can of worms legally, can one now challenge that data if you don't like it under the assumption it's been hacked?
    Could you get a security clearance via hacking OPM? Ramifications are interesting here. If one had content of both, they'd know who to blackmail as well. And these are the guys who want
  • Didn't the US Government just approve that Equifax can no longer be sued into oblivion? Why the hell should Equifax (or any other company) even give a shit about security at all anymore? They fuck up, get raises, and live long, happy lives.
  • A reasonable way for policing these kinds of breaches is to enact legislation requiring those companies pay each and every person whose identity was leaked a reasonable compensation. In my case, that would be about $120 per year as I've already had to close hacked accounts, change personal data and hire an independent identity management firm to clean up the mess and control future issues. 145m x $120 = bankruptcy for Equifax. Sounds good to me.
  • However, the sad fact of the industry is that a great many (though not all) organizations are told over and over by those who know internally of the risks.

    But security is hard. There is no room for cutting corners. You either have partitioned networks, or not, locked down firewalls, or not, encryption, or not, and so forth. But too often, cuts are made for expediency. When good, fast, or cheap is chosen in such domains, you don't usually even get to chose two: you get to chose one. And too often, the d

    • Equifax's performance goes far beyond this. A totally unsecured web page, that allowed ANYONE to retrieve information. This isn't cost-cutting, it is willful criminal negligence.
      • Cost amputation, then, if you want. But the fact that they cut so deep as to be criminally negligent does not undermine the basic argument that in the eyes of those who have the final say in what is resourced and paid for and what is not, there is no significant penalty for security breaches, but there is a penalty for paying the high cost of good security.

  • by l0n3s0m3phr34k ( 2613107 ) on Thursday October 26, 2017 @01:26PM (#55438689)
    Further deregulation will lead to even MORE piss-poor security situations like this. Our lawmakers are, at this point, willfully negligent to the point of being criminally culpable. This same situation happens again and again, at various private and government places, and yet nothing is really done. Oh, a law or two might be passed that says "unauthorized access is illegal" yet nothing dictating that any real effort must be done to stop said unauthorized access. Even if we passed a law to force some level of IT security, we lack the backbone to actually do any enforcement.

    The US doesn't even have a current Cabinet-level person doing anything related to security in a real way. "Giuliani Security & Safety" does NOT count. Rob Joyce has TWO full time jobs, one as the "White House Cybersecurity Coordinator" and another as "acting deputy homeland security adviser to the President". While those may have overlapping duties, it's obvious that cybersecurity needs to be it's own separate gig. I would even go so far as to say we need a "Commercial Cybersecurity Czar" to separate out the government vs public, as these are quite different in scope and approach.

    However, seeing the kind of people Trumps likes to appoint, I would expect someone who thinks cybersecurity is a "hoax" and believes that corporations will be forced to secure themselves "if only allowed to by the invisible hand of the free market"; who would then nullify HIPAA and censure / fire / dismantle the part of NIST that writes the 800 series.
  • When you prioritize diversity hiring and your Chief Security Officer has no professional training in IT Security.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...