Adding to the insult of the largest data compromise in history, where over 145 million American’s lost personal data, it turns out that data giant Equifax was warned by a security researcher, reportedly, about its vulnerability in December of 2016, and ultimately failed to act upon it until they were forced to six months later.
Apparently, a webpage on the public facing website gave that security researcher access to social security numbers, full names, birthdates, and addresses – in a page exposed to anyone that required no authentication.
In addition, he was able to hack several servers, and found vulnerabilities to simple bugs across the company’s massive online infrastructure, which suffered from a lack of patches and updates.
This leak of information has raised a number of concerns of Equifax’s security practices, which apparently have been lacking for a quite a bit.
Multiple former employees and current employees discussed security lapses – despite the massive investment of capital and time – largely due to talent gaps and poor implementation processes.
Security mishaps in the past, including insecure internal portals, internal sabotage, and a lack of fire integrity monitoring systems. Audits apparently weren’t taken seriously, as management struggled to understand what security consultants were asking.
Ultimately, it appears that Equifax didn’t have security at the top of its mind, and is feeling that lack of urgency now.
Equifax announced on October 2nd that the security firm Mandiant had concluded the review of the impact of the breach, and the information finalized the number to the current 145 million, with no evidence attackers impacted databases located outside the United States.
In addition, though originally up to 100,000 Canadian citizens may have been impacted based on the original statement, Equifax confirmed that 8,000 Canadian citizens were impacted. The results for the UK are awaiting review currently.
The scope of the Equifax hack has already changed the company itself massively – with a new Interim CEO and the departure of the two top security officials.
The scope of the breach has federal lawmakers discussing enhancing oversight about the largely unregulated agency of credit reporting. What happens next with over 143 million people impacted – who will be impacted for years to come – will continue to be felt.
Pingback: Five inexpensive VPNs to keep your data yours