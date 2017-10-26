Equifax Was Warned (vice.com) 37
Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack that later compromised the personal data of more than 145 million Americans, Motherboard has learned. Six months after the researcher first notified the company about the vulnerability, Equifax patched it -- but only after the massive breach that made headlines had already taken place, according to Equifax's own timeline. This revelation opens the possibility that more than one group of hackers broke into the company. And, more importantly, it raises new questions about Equifax's own security practices, and whether the company took the right precautions and heeded warnings of serious vulnerabilities before its disastrous hack. Late last year, a security researcher started looking into some of the servers and websites that Equifax had on the internet. In just a few hours, after scanning the company's public-facing infrastructure, the researcher couldn't believe what they had found. One particular website allowed them to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence, the researcher told Motherboard.
Except most of the harmed never signed any agreement that includes FORCED ARBITRATION in their relations with Equifax, because the harmed are NOT Equifax customers. That means that all effected US citizens who are not Equifax customers CAN sue directly or via class action.
The issue will be showing that you were damaged specifically by Equifax's negligence. They will likely defend themselves via all the reports of the similar losses of the same and similar personal data via other corporations also piss poor security practices.
It will be very hard for any specific individual or class to show losses specific to Equifax. Sure , you may be able to show identity theft and losses because of it, but was that specifically because of Equifax? Good luck proving that.
Equifax certainly does deserve the "Corporate Death Penalty." But there are many ways for them to avoid it, followed by a fresh coat of paint and likely a new name. Just watch....
Today there is no such thing as a responsible corporate citizen. There probably never was.
Yeah, but the only way to cripple Equafax would be to make it toxic to do business with them.
The real message would be class action against the banks that hand over the information to places with poorly vetted security.
This is a classic example of perverse incentives. Equifax gets paid when people need fraud protection (directly and indirectly), so the more cavalierly they handle consumer data, the better off they are.
Apache Struts had plenty of quality control. The bugs in question were patched LONG before any breach. The fact that it's open source is what enabled a third-party security company to discover and report the security vulnerability so quickly.
It's a double-edged sword, since not patching your systems means that vulnerabilities are published for all to see. But the patch was available.
It doesn't matter what you use if you don't patch it.
That's why I prefer commercial software with well established quality control.
And what commercial software is that? It's not like all commercial software has great quality control. Have read this >month's security bulletins from the likes of Oracle [oracle.com], Microsoft [microsoft.com], etc. Also in the case of Struts, it had been patched months prior to the intrusion.
They ought to be on the hook for damages to every person affected — with a meaningful minimum even for those of us, who can not demonstrate actual harm. Just because my details are now accessible to anyone anonymously.
Yes, it will bankrupt them, and that'd be a good thing. Have them go the way of Enron and Ashley Whatshername...
This smells of Class Action Lawsuit !
Or more than one...
I think we need private and governmental bodies where people can submit complaints about security vulnerabilities.
Governmental body: Something like the CFPB but for security and privacy related concerns.
Private watchdog groups: We also need an org that exists that can be notified whenever a security or privacy vulnerability is reported to a company. Such a group could keep track of info, be designated as a proxy to be provided with updates/responses on when and if a security or privacy vulnerability is be
With the system we have, those watchdogs will fall to regulatory capture, and at best, be a rubber-stamping department.
The only thing that really can break this trend is Europe's GDPR. Time will tell if it actually will get companies to do something about security, or if it winds up being a joke, like SOX (where it was used to jail a guy who ran over his fishing bag limit at its best.) I'm sure BRICS will have similar laws on the books soon, because they want to stick it to US companies, so even that migh
There is a way to have enough data for a transaction, but no more. A certificate based system, where one's ID card just validates the cardholder is whom they claim to be, and is a repository for certificates. For example, a certificate showing the person is over age 21. That way, they can go to a bar in the US, and the cert provides what the bar needs to know to comply with the law. The bar doesn't need names, ages, or anything else. Just that the bearer is over 21.
This could be extended to a lot of ot
From a technical point of view, you are of course correct.
But the sad, unfortunate truth is that even hard core techies haven't been able to do this among ourselves. We could use certificates and PGP (or GPG) to secure our communications, but who in real life actually does that? If we can't do it, how can one expect the increasingly dumbed-down masses to?
To your point on small, scattered databases: gathering them all into a single point of contact sounds like a business plan that would easily get funded
I've worked in big companies for a long time and I'm not surprised. The IT security people are usually in-house, but I wouldn't be shocked if they were offshore or totally outsourced. When the IT security team is contacted by a "researcher" telling them somehting's vulnerable, big IT departments will take forever to put anything into place. First the security team has to run it up the flagpole to their management, then their management has a meeting to decide what course of action to recommend to the server team. The server team (who also may be offshored or outsourced, which introduces more delays) will be told that they have a vulnerability to patch. Application owners affected will need to be contacted to determine when a good time to patch will be. Worse still, if it's a shared service like a service bus or core application component, you have to coordinate that among all the systems' users. Only then can a change management notice be raised, then discussed at the Change Approval Board meeting, then scheduled. At any point, this can also be delayed by the application owner saying they can't take the downtime.
I'm sure all the DevOps kids will say "dude, just put it in the cloud and CI/CD it...we release 20 times a day!" Legacy financial systems are a different animal. You might be able to release the web front-ends to a system like that 20 times a day, but big company IT's complexity and culture make it hard to apply this to the core.
Could it be proved either way? Speaking of a real can of worms legally, can one now challenge that data if you don't like it under the assumption it's been hacked?
Could you get a security clearance via hacking OPM? Ramifications are interesting here. If one had content of both, they'd know who to blackmail as well. And these are the guys who want
However, the sad fact of the industry is that a great many (though not all) organizations are told over and over by those who know internally of the risks.
However, the sad fact of the industry is that a great many (though not all) organizations are told over and over by those who know internally of the risks.

But security is hard. There is no room for cutting corners. You either have partitioned networks, or not, locked down firewalls, or not, encryption, or not, and so forth. But too often, cuts are made for expediency. When good, fast, or cheap is chosen in such domains, you don't usually even get to chose two: you get to chose one. And too often, the d