Equifax: Zero Fax Given

Even the most disinterested Americans are probably aware by now of what a giant bungling mess the Equifax hack was. Not only did the company fail with respect to basic security and intrusion detection measures, the way they handled the situation after they discovered or suspected what had happened was even more despicable. The good news? It’s possible Equifax was hacked by nation state actors and not by some l33t hacker crew doing it for money or lulz.

You may be thinking, “wait, this doesn’t sound like good news at all”, and it’s true that nothing about Equifax basically giving away all your personal information is great. But if it was stolen by a nation state, it is slightly more likely that the data never gets dumped onto the internet for random slimeballs to use against you for financial gain.

Some of the details in Bloomberg’s reporting are enough to make you want to punch an Equi-exec:

In the corridors and break rooms of Equifax Inc.’s giant Atlanta headquarters, employees used to joke that their enormously successful credit reporting company was just one hack away from bankruptcy. They weren’t being disparaging, just darkly honest: Founded in the 19th century as a retail credit company, Equifax had over the years morphed into one of the largest repositories of Americans’ most sensitive financial data, which the company sliced and diced and sold to banks and hedge funds. In short, the viability of Equifax and the security of its data were one and the same.

Somehow that joke doesn’t seem so funny now. Unfortunately Equifax will probably survive to screw us over another day. Furthermore, Equifax made huge amounts of money from free data that they ultimately proved to be unworthy stewards of.

In the speech, Smith explained that the company gets its data for free (because regular consumers hand it over to the banks when they apply for credit). Then, he said, the company crunches the data with the help of computer scientists and artificial intelligence and sells it back to the banks that gave Equifax the data in the first place. The business generates a gross margin of about 90 percent. “That’s a pretty unique model,” Smith said.

It’s not that Equifax didn’t worry about or try to implement security measures, but still fell prey to company culture and bureaucracy, resulting in the nightmare situation affecting most Americans now.

Not long after becoming CEO, he hired Tony Spinelli, a well-regarded cyber expert, to overhaul the company’s security. The new team rehearsed breach scenarios, which involved 24-hour crisis-management squads taking turns to address each given issue until it was resolved. Protocol included alerting the chief of security, who determined the severity of the breach, and then telling the executive leadership if a threat was considered serious.

Apparently, gaps remained. After the breach became public in September, Steve VanWieren, a vice president of data quality who left Equifax in January 2012 after almost 15 years, wrote in a post on LinkedIn that “it bothered me how much access just about any employee had to the personally identifiable attributes. I would see printed credit files sitting near shredders, and I would hear people speaking about specific cases, speaking aloud consumer’s personally identifiable information.”

The evidence Bloomberg cites in advancing the case that the Equifax hack may have been the work of nation state professional hackers is fascinating. Apparently junior hackers worked their way in using an Apache bug, and then handed things over to the ace team once things got tricky.

Once the hackers found the vulnerability Zheng reported, they installed a simple backdoor known as a web shell. It didn’t matter if Equifax fixed the vulnerability after that. The hackers had an invisible portal into the company’s network. The Moloch data suggests the initial group of hackers struggled to jump through internal roadblocks like firewalls and security policies, but that changed once the advanced team took over. Those intruders used special tunneling tools to slide around firewalls, analyzing and cracking one database after the next—while stockpiling data on the company’s own storage systems.

Besides amassing data on nearly every American adult, the hackers also sought information on specific people. It’s not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value.

It is entirely possible that a country like China, Russia, or (maybe) North Korea was responsible and was fishing for information on people they could trick or coerce into revealing valuable political or economic intelligence. If that’s the case, it’s also plausible that most Americans affected don’t have as much to worry about as initially feared, at least for now. Unfortunately data has a way of being passed around or slipping out into the public domain, as Equifax found out the hard way.

By the way, given that no one knows who hacked Equifax and what their motives were, services like Experian’s offer of a dark web scan are nothing more than scams. Even if your information was splattered across the dark web, it’s highly unlikely these bozos would find anything anyway. They are relying on their “customers” having no way of knowing what data is actually out there. From their own website:

Experian is a global leader in consumer and business credit reporting and marketing services and a constituent of the United Kingdom’s FTSE 100 index, with total revenue for the year ended March 31, 2016, of US$4.6 billion. We support clients in more than 80 countries and employ approximately 17,000 people in 37 countries.

Experian is a credit reporting and marketing company, not an internet security company. They may even play at providing security measures to businesses (although a cursory scan of their website didn’t reveal any such services offered), but that’s not what they do for a living.