It is a sad fact in 2017 that a data breach involving 143 million people was dwarfed by other recent hacks—for example, those that attacked Yahoo in 2013 and 2014, which exposed personal information for 1 billion and 500 million users respectively; another that revealed account details for 412 million accounts on the sex and swinger community site AdultFriendFinder last year; and an eBay hack in 2014 that exposed sensitive data for 145 million users.
The Equifax breach reported on Wednesday, however, was most likely of all for a simple reason: the staggering amount of highly sensitive data it gave to criminals. By providing full names, Social Security numbers, dates of birth, addresses, and, in some cases, driver’s license numbers, you provide most of the information banks, insurance companies, and businesses others use it to verify customers are who they say they are. Theft, by criminals exploiting a security flaw on the Equifax website, opens up the prospect of the data being in the hands of hostile governments, criminal gangs, or both and will remain forever.
The hacks that hit Yahoo and other sites, by contrast, may have compromised more accounts, but the damage to personal data was more limited. And many times the damage can be contained by changing a password or getting a new credit card number.
What’s more, the 143 million people in the US that Equifax says have active accounts are roughly 44 percent of the population. When children and people without credit histories are excluded, the ratio becomes even larger. That means that more than half of all US residents who rely heavily on bank loans and credit cards are at a very high risk of fraud and will remain so for years to come. Besides being used to get loans in other people’s names, the data can be misused by hostile governments to, say, extract new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which revealed highly sensitive data on 3.2 million federal employees, both current and retired.
Aside from the severity and scope of the pilfered data, the Equifax breach also stands out for the way the company handled the breach once it was discovered. For one thing, it took the Atlanta-based company more than five weeks to reveal the data loss. Even worse, according to Bloomberg News, three Equifax executives were allowed to sell more than $1.8 million of stock in the days following the July 29 discovery of the breach. While Equifax officials told the news service that employees had not been notified of the breach at the time of the sale, the transaction would at least give the wrong impression and suggest that incident responders were not quick enough to contain the damage in the the day after There is a potential catastrophic cut to the focus.
What’s more, the website www.equifaxsecurity2017.com/, which Equifax created to alert people of crime, is very problematic for several reasons. He works on it WordPress installation stock, a content management system that doesn’t provide the corporate security needed for a site that asks people to provide their last name and all but three digits of their Social Security number. TLS certificate doesn’t do proper cancellation checks. Worse, the domain name not registered to Equifax, and its format looks like something a criminal activity might use to steal people’s information. It’s no surprise that Cisco’s proprietary Open DNS is blocking access to the site and warning that it is a suspected privacy threat. (Update: The whois records were updated on Sunday and now show the domain is registered to Equifax.)
Another indication of sloppiness: a username for the site’s management has been left The book is hosted here. Here’s what it looked like before it took off at about 8:50 a.m. California time: