Tuesday, September 19, 2017

The Equifax Saga Thus Far

Any time any of us makes a big purchase it’s a matter of pride. After saving and budgeting we finally have the scratch to put down some money towards a new car or join the club to become an American homeowner. But before we can sign the papers, there’s one final thing to do – the credit check. Here in the states your credit is reported by what’s called the “big 3” credit agencies -  Experian, TransUnion, and Equifax. Their say so can make and break what you’re trying to do – they’re the gatekeepers that hold massive databases on all of us and our credit histories. One would think that such sensitive information would be kept under the strictest locks and keys digitally available, but last week we found that sadly, what we hope and assume versus what’s reality are often not the same. This is worse than having most of your other accounts hacked though - this one included a giant list of social security numbers.

Equifax, one of those big 3 credit agencies, reported that it was hacked last week, potentially opening up the personal information for 143 million American consumers. And a slow response from them to help the affected consumers whose information they coughed up, three things became abundantly clear to me – they knew this was coming, they did nothing to stop it, and you’re on your own.

After the breach Equifax provided a phone number and a website to check if your information was compromised as what was seemingly a helpful hand. Equifax’s official response came from CEO Richard Smith in the form of a video you can see here.

If you checked if your information was hit, they were kind enough to provide you with free credit monitoring from that point on. But there were multiple issues with that – in addition to the glib “mea culpa” attitude given to consumers, the hotline kept strange and limited hours, urging consumers to use the website to check. The website itself asked for social security numbers (after yours may have been swiped) to check that info. That yielded another issue – as multiple IT colleagues as well as myself found, the website check would come back and say that your information was compromised regardless of what information you put in. Even If the information you entered was fake. So what was the deal?

Well, after checking on your info, the one thing Equifax did make easy was enrolling in their free credit monitoring service. But as all of us have found in the scope of general life, nothing comes for free. Enrolling in the service came with some very very fine print – if you enrolled in the program, you waive all rights to sue Equifax for any damage their breach could have caused through their arbitration clause. Awesome, right? They get users enrolled in their programs and legal immunity against those users at the same time. It’s a pretty sweet deal for them. Thankfully though, after intense criticism and pressure, Equifax changed this to a user-responsible opt-out clause and finally removing the arbitration clause altogether. Let’s be real though, this clause shouldn’t have been part of the agreement for their services given the absolute train wreck of a data leak that they were involved in.

But this was just the tip of the iceberg. Additional information that was unearthed over the following week took this action from shady activities to what may be pointing to a full blown cover up.

What happened?

It’s been revealed that the vulnerability that was exploited was something called Apache Struts – which to the non-web-savvy is a web server tool that is used by a lot of companies. This information on its own made me cringe as an IT boss. I, as many of my colleagues recall, saw a lot of this activity back in March, with our firewalls and security software coming up with and shutting down attempts to exploit Apache Struts multiple times a day. Patches to plug up the security hole were readily available back in March and even posted as security bulletins from Apache as well as US-CERT (i.e. the Federal Government), which means that Equifax had 2 months to patch up their Apache security holes.

And didn’t.

Granted, there's more than just patching involved to fix a screw-up of this magnitude, but there's more: Equifax reported that July 29 was the date of the hit, meaning two months had passed before they decided to reveal this information with the general public. That's 2 months where they could have started working on it, come up with a game plan, and started a conversation with consumers. Apache themselves put out a statement, citing that “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years,” according to RenĂ© Gielen, Vice President for Apache Struts.

Firewalls and security software can help keep the bad guys out of your network, but on the inside of the firewall, updating that software and patches for everything your company is running is the crux of protecting users against further threats. I know from running a technical division how much effort my team takes to make sure everything is patched up and protected from vulnerabilities, and the fact that Equifax, who houses information far more important than most companies do, did not, is absolutely mind boggling to me. And that’s both as an IT boss as well as an American consumer.

And while Equifax was taking there time not patching? Hackers were already putting breached information into use.

From idiots to evil?

I really wish this was it, but even more information that came to light showed that while Equifax was going through the motions not patching their networks and hiding critical information from the American public, their officers were seemingly busy financially hedging for what was sure to be a massive loss. After the reported July 29 breach, top-ranking Equifax executives offloaded about $2 million in shares on August 1, raising eyebrows across the country. The company maintains that it was scheduled and they didn’t know anything about the hack, but the timing is just a bit more than suspect. Suspect enough for a bipartisan group of senators urging an investigation of the sale by the FBI, FTC the SEC. You can see the text of that letter to the Chairmen of both the SEC and FTC, as well as Attorney General Jeff Sessions here.

OK. What happens to them?

Equifax has had some “personnel changes” in the wake of this event. Susan Mauldin and Dave Webb, their Chief Security and Chief Information Officers, have retired. But our boy Richard Smith? Still in charge. But as far as government action, Equifax is now under investigation by the FTC, and Smith has been formally called to testify before Congress, and will testify before a special panel on October 3. So we’ll have to see how this plays out.

What about me?

Your first steps should to get a copy of your credit report. Under the FCRA, we are all entitled to one free creit report per year. The FTC has links here on where and how to obtain your credit report through annualcreditreport.com. You can also consider freezing your credit, which blocks any new accounts being made in your name with your social security number. This does not affect your current existing accounts, so you will still have to monitor those.

But otherwise? You’re basically on your own. Using a reactive approach and waiting until your hacked takes a lot of power away from you and limits what recourse you have in reclaiming your identity and credit for theft. The best course of action is to always be on guard. If you yourself are not a technical person or versed in what a disgusting cesspool the internet actually is, ask someone. I guarantee you that they will be more than happy to help you become more proactive about your data security. Granted, that would have done little to stop what happened with Equifax. Unfortunately for the American consumer, someone can be as secure as possible and this kind of event can screw that up.

And having seen friends and colleagues that have been victimized in such a way, there’s an emotional component too. Imagine what you’d be able to immediately do while also dealing with the fear and anger of being hit where you live? Being proactive should be part of everyone’s digital routine in today’s day and age, including vigilance and consistent checks of bank and credit accounts.

There’s nothing we can do about the data that was given up – it’s out there now and it’s not coming back. There's 143 million sets of data out there and the chances of your information being used for something are fairly small, but it's something we need to pay attention to nonetheless. We can try to take this as a lesson, but I understand that for most people reading this, it’s a bitter pill to swallow.