Hurricane Season: Harvey Hit Texas, Irma Hit Florida, Equifax Hits the USA
The Equifax Scandal - or, what the iTod team has started referring to as "Hurricane Equifax," which has set the financial industry ablaze, shaken consumers, and outraged lawmakers and regulators.
This technological disaster can be traced back to the 8th of March, when Cisco Systems, inc. – the big enterprise vendor who provides software for Equifax - reported a vulnerability in Apache Struts2 that would enable hackers execute commands remotely – meaning, they can remotely access the information stored on the targeted system.
On the 8th of March, Cisco told users, including Equifax, that the weakness in Apache Struts was "critical," and users needed to immediately upgrade or " patch" their systems with an updated version of Struts that would fix the flaw.
Last Friday, the 15th of September, Equifax’s technological support said it worked to identify and patch vulnerable systems upon Cisco’s announcement in March. But… the evidence indicates this may not be entirely true.
That's because the same online security flaw that was reported in Apache Struts – the one that was also able to be patched and fixed in March – was the same vulnerability that enabled hackers to potentially acquire 143 million Americans personal information between mid-May and late July… in other words, between two and four and half months AFTER the patch was available, the Struts flaw was still present in Equifax's systems.
Equifax, of course, has adopted the "innocent victim" role and is claiming it wasn't until late July, when it noticed suspicious traffic, that tech experts were prompted to investigate Equifax systems. This is when they discovered that the same Struts flaw still existed in many areas of Equifax's systems, and by then – you can almost hear the officials nonchalantly lament - “it was too late.”
We still don’t know a lot about the circumstances regarding the breach - how was it burrowed so deeply inside Equifax? Did Equifax respond properly to Cisco’s report on the security flaw in March? Should Equifax have acted differently in the weeks leading up to the massive breach? Should Equifax have acted differently in the weeks following the breach?
Alex Holden, the chief information security officer of Hold Security, an identity-theft monitoring company, said last week his company was able to access an Argentinian Equifax-operated employee portal by entering the very creative username & password combo of “admin” “admin”.
Further, prosecutors are investigating suspicious stock sales by Equifax Chief Financial Officer John Gamble; President of US Information Solutions, Joseph Loughran; and, President of Workforce Solutions, Rodolfo Ploder. In early August - only days after the breach - these three suits sold Equifax stock worth approximately $1.8 million.
The investigation will be handled by the Atlanta US Attorney’s Office, as Equifax is headquartered in Georgia’s capital city.
In addition, more than one third of US Senators have urged the SEC and DOJ to determine whether these stock sales violated insider trading laws.
As consumers and professionals working in the financial service industry, Hurricane Equifax should terrify us. We are all vulnerable to identity theft, and must take measures to protect ourselves. Last week, we suggested the best route is adding a credit freeze to your credit file. The iTod team is in the process of reviewing our own credit reports and none of us has thus far frozen our accounts.
However, we stand by the position that a credit freeze is the best way to protect yourselves, and also the best route your accountholders or members can take to protect their identities and money.
But, now we want to know what you think: Have customers sought your help in the week of Hurricane Equifax? Are you taking alternative actions to protect your identities? Have you signed up for Equinox’s free credit-monitoring service or the monitoring service of an Equifax competitor like TransUnion or Experian? Please leave a comment or send us an email and let us know how you’re protecting your identity and helping your accountholders' or members’ protect their identities.