Equifax Inc., one of the world’s largest consumer credit reporting agencies, discovered in July 2017 they had a major security breach and did not report it until several months later on September 8th 2017. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. Reported compromised were 143 million consumer records containing personal information containing names, Social Security numbers, birth dates, addresses and driver’s license numbers, and 209,000 consumer credit card numbers.
The hackers responsible for the breach used an exploited and patched security vulnerability known to exist in industry standard common website hosting software. The vulnerability the hackers used, along with the patch release, were announced months before Equifax’s July 2017 web server hack. Any decent organization with just an inkling of security practices could have had the vulnerability patch applied using simple patch automation tools widely available through open source. To further compound Equifax’s culpable behavior, as soon as the hackers exploited the vulnerability, they guessed the admin password, Argentina, within minutes.
In April 2017 IBM released their annual Threat Intelligence Index emphasizing hackers have changed their methods to using known vulnerabilities. 10,197 of them in 2016 alone. Any competent IT person charged with security could have foreseen and prevented the July 2017 Equifax hack. Oddly Equifax’s Chief Security Officer, Susan Mauldin, has a bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia. Her LinkedIn professional profile, no longer active, listed no education related to technology or security.
So what should you do to remediate Equifax’s culpable incompetency?
- Visit Equifax’s site to check if Equifax gave away your personal information using their lackadaisical IT practices.
Given there were 143 million Equifax records compromised and a large number of Americans are credit invisible the odds are if you participate in America’s Capitalism game Equifax handed the hackers your information.
- If your information was compromised then enroll in Equifax’s credit monitoring. Yes, the same people that built the hen house, then left the front gate open for the fox to come in, are also remediating by offering to monitor the security of the gate. However, there is a BIG caveat. Equifax’s credit monitoring arbitration clause in its Terms of Service prevent you from joining a class action suit. Arbitration clauses like Equifax’s are supposed to be on their way out. The Consumer Financial Protection Bureau announced a ban on them this summer, but its new rules won’t apply until next year, and Republican lawmakers are trying to repeal them altogether. For now, the one existing loophole is Equifax’s opt-out provision: Within 30 days of agreeing to the terms of the enrollment, you can deliver a written notice to this address:
Equifax Consumer Services LLC
Attn.: Arbitration Opt-Out
P.O. Box 105496
Atlanta, GA 30348
Include your name, address, Equifax User ID, and a clear statement that you, “want to opt out of resolving disputes with Equifax through arbitration.”.
Businesses need an IT business partner that can handle their IT needs and provide the necessary network security. Today’s IT Managed Service Providers must be proactive in their ability to assess and prevent new threats. If the Equifax hack has shown us anything it is very few IT companies and IT staff are able to meet those requirements on their own.