Equifax data breach a story of What Not to do.
This week we learned of one of the nations three largest credit institutions having one of the largest most in-depth breaches of data security and loss of private information in U.S. History.
Before I go into further detail please use these links if you want to check if you are impacted and what to do if you are.
How to check if you are on the list.
What to do if you are on the list and what you can do to protect yourself.
The way that hackers gained access to company data that potentially compromised sensitive information for 143 million American consumers, including names, addresses, birthdays, Social Security numbers and driver’s license numbers has all come down to gaining access to files in the company’s system. From somewhere in mid-May to July hackers exploited a US website application vulnerability to gain access to these files. That leaves open a wide range of possibilities, with injection bugs, faulty authentication mechanisms, and cross-site scripting vulnerabilities topping the list of the most widely exploited website flaws.
To further worsen the situation, just days after the company admitted that it detected a breach, three executives from the company – including the chief financial officer – sold a combined $1.8 million in stock. More suspicious than that is that it took over a month for the firm to disclose that there was a breach in the first place. It appears there may be some more to answer for by these executives in the future.
In their haste to "help" their customers Equifax setup a new security website. But the site was hastily put together and was plagued with slowness and responsive problems due to overloading of the sites capabilities. Not to mention the phone calls were going unanswered due to overwhelming response. But, if you were one of the lucky people who did get through you were quick to find very little information at first. You would have found that the website didn't automatically enroll the user in the TrustedID credit monitoring — instead, the site only issues a date (about a week in the future) when the user would have to return to complete the enrollment.
Equifax was then exposed for putting in an arbitration clause into their "fine-print" which essentially restricted their right to sue the company or be part of a class action in the future. This has now been clarified in their FAQ stating: "The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cyber-security incident." In any case the National consumer Law Center described this arbitration clause as "biased, secretive, and lawless"
Then there is the woeful pin that Equifax creates for you if you choose to freeze your credit. It is not a pin number you chose nor is it a pin number that is random. No, it is actually the time and date of the freeze... This showed how quickly this was put together by Equifax without regard to proper security protocol to protect their users.
Worse yet their credit monitoring service is pretty much worthless - they are only offering 1 year of free credit monitory service, under terms of "free to try". this can ultimately lead to you being charged for a renewal next year after you have forgotten that you signed up for their service. The service will only warn you but not take proactive defense of your services if identified problems arise. But don't forget they want you to agree not to sue them if you use this service.
Unlike some of my other posts this post does not deal with much of the technical side of how to prevent a data breech but rather how to not conduct business with your customers if it does happen. Of course the best way to deal with this is to defend your data in every way you possibly can. Keep your infrastructure security up to date and make sure to always take time for security, it may take a bit longer but in the long run it is better.
