six colors

by Jason Snell & Dan Moren

This week's sponsor

September is National Childhood Cancer Awareness Month. Donate today.

Linked by Dan Moren

Equifax breach is probably the worst leak ever

Ars Technica’s security editor Dan Goodin on the news that consumer credit reporting agency Equifax was hit by a massive security breach:

The breach Equifax reported Thursday, however, very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely.

I’ve been a little bemused that some mainstream media is reporting this like it’s just another hack when in fact it’s way, way worse. As the Ars headline says, it’s probably the worst leak of all time. Why? Because with so many of those other hacks the worst leaked info were passwords and maybe credit card numbers (though keeping unencrypted credit cards on hand these days would be tantamount to criminal negligence). Worst case scenario, you can change your password or get a new credit card number, though it might prove to have a longer term impact. While getting a new social security number is possible, it’s tougher and much more disruptive—and I don’t believe it’s ever needed to happen on this scale: 143 million people may have been affected, or about 44 percent of the U.S. population. That is staggering.

The second part of Goodin’s story, dealing with Equifax’s amateur response to the hack, just adds another log of frustration to the fire:

What’s more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

Amateur hour, indeed. This is a company that is one of the three biggest credit agencies in the U.S., and any number of businesses and people trust its information for major decision-making on loans and the like. Trust should be the cornerstone of their business, but why would you trust someone who seems like they don’t know the first thing about keeping your personal information safe?

I’ve seen some other anecdotal complaints about Equifax’s response, most notably from Panic co-founder Cabel Sasser, who detailed his experience in a series of tweets:

Upon seeing the link to the aforementioned response site in a news story, I immediately went and put in my information to be notified if I was affected by the breach—I didn’t have Cabel’s experience, but Goodin’s story definitely has me wondering if I should have perhaps been more cautious about it. Well, I guess I’ll find out next week whether or not I’m one of the 44 percent.

Update: Just to clarify, since I was not reading closely when I went to check my info, Equifax’s tool said I “may have been impacted” and gave me a date of next week for when its TrustedID program kicks in.