Equifax Security Breach
Equifax is one of the largest credit reporting agencies. It has collected data for hundreds of millions of Americans over time. Recently, it lost the very same data including names, addresses, social security numbers and driving license numbers of 143 million of those Americans. This makes it the worst hack of the decade due to the sensitivity of the information. It has made millions vulnerable to identity theft and prone to scams.
How Is This Being Handled?
Equifax made a website designed to spread information on how the company is handling the hack. In a post they said the following:
“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
Apache Struts
Apache Struts is a “framework for developing Java-based apps that run both front-end and back-end Web servers.” This is extremely popular with financial institutions. The bug present in the framework was fixed in an update patch on March 6th. Equifax claims to have learned the hack took place in May. This is two months after the vulnerability was known and easily fixed by the update.
Suspicious Behavior
They announced this only last week that they learned the system had been breached in May and it was discovered much later on July 29th. That is not all, Three days after Equifax discovered the breach, three top Equifax executives, including Chief Financial Officer John Gamble and a president of a unit, sold Equifax shares or exercised options to dispose of stock worth about $1.8 million, even though they claim to have had no knowledge about the hack at that time.
US Congress Inquiry
The breach has not gone unnoticed and Congress is taking action to ensure no such acts take place in the future. The Democrats of the House Committee on Energy and Commerce questions Equifax. They have written a strongly worded letter to the company asking in detail about all the aspects of the hack.
“Your company profits from collecting highly sensitive personal information from American consumers — it should take seriously its responsibility to keep data safe and to inform consumers when its protections fail,” wrote the 24 members of Congress in the letter.
They have further asked what the vulnerability was and what actions have been taken to fix it. Also, what security measures are now in place to make sure something like this never happen again? Why did the executives sell off their stocks just before the announcement? Why did it take so long to discover the breach?
The company is expected to come up with a proper response in the coming weeks. I think it is safe to assume that these attacks are not going to stop. Especially as we move towards a more digital world. We need to have proper safeguards in place to ensure something like this never happens again.