Hopefully you’ve heard of this already, but Equifax was recently severely compromised in a “cybersecurity incident”.
“cybersecurity incident” is code for “colossal fuck-up of epic proportions”
— saddest server (@sadserver) September 7, 2017
Criminals now have access to over 143 million sets of full names, birthdates, social security numbers, phone numbers, mailing addresses, email addresses, and drivers licenses. That is incredibly terrifying.
The Equifax Equihax
The breach occurred between mid-May and July, was discovered by Equifax on July 29, and announced to the public on September 7th. It is also important to consider that three Equifax managers sold stock in August. They claim not to have known about the hack at that point but… Come on. That’s a little too fishy for my taste. Regardless, this post is not about the slime of businesspeople, but about the Equifax hack itself.
Poor Security Practices
The company has announced that hackers “exploited a U.S. website application vulnerability to gain access to certain files.” Equifax has publicly blamed the Apache STRUTS exploit, even though Apache has put out patches and fixes since March. This just makes it worse, because it means Equifax didn’t bother to update their software, which, as we’ve learned from Wannacry, is a very stupid thing to do.
One thing that really pisses me off is that Equifax has already had a number of cybersecurity issues. Just last year, the company had unsecured W-2 tax and salary data on the site, available to identity thieves, if they knew where to look (they did). Then earlier this year, their payroll division was also deemed insecure, as criminals again had access to sensitive information. It’s incredibly embarrassing and unprofessional on their part to not learn from their mistakes and increase their cybersecurity.
Scale of the Hack
This cyber attack is “very possibly the worst leak of personal info ever“.
Even if you disagree with that, it’s definitely at the top of the list, along with…
- 1 billion users – Yahoo 2013 CyberVor attack
- 500 million users – Yahoo 2014 Peace attack
- 360 million users – MySpace 2013 Peace attack
- 167 million users – LinkedIn 2012 Peace attack
- 145 million users – Ebay 2014 ??? attack
Even though the Equifax hack didn’t affect as many users as any of these attacks, the sensitivity of the information leaked was definitely of higher priority. Not only did Equihax compromise the personal data of 143 million users, but researchers suspect this information may be a national security threat.
Remember those dates I gave you at the beginning of this article? Equifax found out about the exploit at the end of July. However, they didn’t tell the public about it until the beginning of September. Furthermore, they did so by creating a new website to announce the breach. OpenDNS thought it was a phishing site.
— SwiftOnSecurity (@SwiftOnSecurity) September 8, 2017
A lot of people have been scouring the terms and conditions trying to figure out what they mean. They are obscure and confusing. If you use Equifax, please consider reading this reddit comment, which covers a lot of the steps you should take.
Luke Rehmann emailed the hackers, a group called Pasthole. They responded.
We do not have expectations to collect anything so that on the 15th
everything will be published except the credit cards. 09/15 at 4pm UTC
Take this reply with a grain of salt. The blogger has stated that he is not a journalist, but reports what he finds. Some Reddit users question whether these are the actual culprits of the attack, or if they just seek attention. Regardless, it’s interesting to think about what would happen if Pasthole were to publicly release the stolen data.
September 15, 2017 @ 11:32 AM
Equifax CEO Rick Smith stated yesterday, “Equifax will not be defined by this incident, but rather by how we respond.” Okay. Well, your response sucked. Your security practices sucked. This is unacceptable.
On September 12th, we found out that the username and password for the Argentina employees login was “admin”. The hackers who figured this out stated:
if I have to release the information and make it public for these companies to finally acknowledge and admit their fuck ups (maybe not blame on apache flaw either) then I will.
The hackers asking for 600 Bitcoin were fake. The real hackers also noted that they only added bitcoin funding after the fact, because it would gain more attention from the media. I visited their Tor site to find this: (click it for a bigger image)
You can see more proof that this is from the actual group of hackers here. First of all, the admin panels already had poor security practices, so it is irresponsible of Equifax to blame the Apache exploit. For example, private keys were embedded in the admin panels.
Managers sold stock. The company waited six weeks before announcing the hack. Security teams pulled the plugs on all of their servers (which shouldn’t have been up in the first place). They pointed fingers, waived rights to sue, and didn’t really take responsibility for their actions. If Equifax wants to be defined by how they responded to these issues, then they should be completely torn apart by now.