Into the Breach: Everything You Need to Know About the Equifax Leak

How often have you checked the strength of your passwords? How often do you check your bank statements? Would you know if someone tried to open a line of credit in your name? Personal data is stolen all the time in events known as data breaches. A data breach can be as small as looking over the shoulder of a friend as they type their password, or as big as stealing millions of confidential credit records.

One of the biggest data breaches in history recently occurred at Equifax, located in Atlanta. As renowned musician Desiigner once said, “I got scammers in Atlanta.” Equifax is one of the top three credit agencies in the world. The scope of this company stretches across 24 countries, four continents, and approximately 820 million consumers. They were also voted to the Forbes’ top 100 list for Most Innovative Companies (2015-2017). With a track record like this, it’s hard to believe some masked assailants were able to steal so much information from right under their noses.

The breach compromised approximately 143 million Americans’ personal data. This data includes names, social security numbers, credit card information, driver’s license numbers, addresses, and birth dates. Surprisingly, credit card information is the least valuable on the spectrum. You can easily call your credit card company and change your credit card number; however, you are unlikely to be able to change your name, social security number, and birthday anytime soon.

This particular breach occurred because of negligence on Equifax’s part. No, our masked assailants didn’t have to break out any special skills such as reverse engineering; they simply took the opportunity presented to them, in the form of Equifax forgetting to update a flaw in a web tool. Equifax even admitted that they knew about the flaw for two months and failed to report it. This gave hackers a two-month period in which they were able to gobble up 44% of the American population’s personal data. It’s every hacker’s dream for such a perfect target, as so much significant personal data is located in one unguarded place. The web tool previously mentioned is called Apache Struts, and Equifax used it as a customer service portal. Customers would go to the portal and report issues about their credit reports; however, the flaw allowed hackers to gain control of the site and access consumer records through this exploit.

Equifax has come under much fire from the public and stakeholders alike for waiting so long to report the breach. Also, rather suspiciously, their CSO and CIO are reportedly “retiring.” Their CSO has a pretty good résumé, having worked at First Data Corporation, SunTrust Banks, and HP. However, her degree choices have some people questioning why she was chosen in the first place. She graduated from UGA with a BA in Music, and also with an MFA in Music. While these are high achievements, some would argue they have no place in the STEM field, especially when it comes to being the Chief Security Officer of a corporation as large as Equifax.

The CIO also has some pretty reputable past employment, working as COO for Silicon Valley Banks and VP of Goldman Sachs. However, he earned his BA in Russian, which is also considerably outside of the STEM field. This motivates many to ask: why are these the people guarding your information?

Equifax is currently being investigated by the Federal Trade Commission (FTC) and the FBI. There have also been several class action lawsuits filed against the company. The way Equifax has handled this scandal is every PR person’s nightmare, as all of their behavior seems only to be attempts to save themselves, rather than helping the millions affected by their mistakes. Among these many mistakes is setting up a website where people are forced to go to check if they have been affected, rather than reaching out actively and notifying those who were affected. This is made all the more ironic, as an Equifax website was the start of the breach in the first place. This site is somewhat faulty, sometimes even telling people to try again later. Several individuals have been able to get the message that their identity has been stolen using fake social security numbers and names, leading some to question if the tool is even accurate in the first place.

An additional problem is that, rather than placing this site as a sub-domain under the equifax.com domain, and thus making it clear that the site is legitimate, Equifax made an entirely new domain at equifaxsecurity2017.com. This makes it easy for hackers to create a duplicate website with a very similar URL that can be used to steal the very personal information entered – social security number and full name – by customers to find out if their identity has been stolen in the original breach. Whitehat hacker Nick Sweeting made this fact all too clear when he created securityequifax2017.com, a not-quite-identical duplicate of the official site. This problem was further underscored when Equifax mistakenly tweeted the link to Sweeting’s website instead of their own in a series of tweets that have since been removed. Luckily for many, Sweeting did not create the site to steal personal information, but instead set it up as a warning of the dangers of Equifax’s current “solution.”

In addition to the myriad issues in the creation of the site, Equifax then offered free credit report monitoring immediately, upon receiving the message that you were impacted by a breach, but hid a clause in the Terms and Conditions stating that by using these services, users gave up their right to sue.

With all of this said, how do you protect yourself against this breach and future situations like these?

What we can take away from this data breach is that information is now more valuable than ever. Much like we safeguard our physical valuables, we must also find a way to keep our identities safe online.