The Equifax Saga Thus Far

Any time any of us makes a big purchase it’s a matter of pride. After saving and budgeting we finally have the scratch to put down some money towards a new car or join the club to become an American homeowner. But before we can sign the papers, there’s one final thing to do – the credit check. Here in the states your credit is reported by what’s called the “big 3” credit agencies -  Experian, TransUnion, and Equifax. Their say so can make and break what you’re trying to do – they’re the gatekeepers that hold massive databases on all of us and our credit histories. One would think that such sensitive information would be kept under the strictest locks and keys digitally available, but last week we found that sadly, what we hope and assume versus what’s reality are often not the same. This is worse than having most of your other accounts hacked though - this one included a giant list of social security numbers.

Equifax, one of those big 3 credit agencies, reported that it was hacked last week, potentially opening up the personal information for 143 million American consumers. And a slow response from them to help the affected consumers whose information they coughed up, three things became abundantly clear to me – they knew this was coming, they did nothing to stop it, and you’re on your own.

After the breach Equifax provided a phone number and a website to check if your information was compromised as what was seemingly a helpful hand. Equifax’s official response came from CEO Richard Smith in the form of a video you can see here.

If you checked if your information was hit, they were kind enough to provide you with free credit monitoring from that point on. But there were multiple issues with that – in addition to the glib “mea culpa” attitude given to consumers, the hotline kept strange and limited hours, urging consumers to use the website to check. The website itself asked for social security numbers (after yours may have been swiped) to check that info. That yielded another issue – as multiple IT colleagues as well as myself found, the website check would come back and say that your information was compromised regardless of what information you put in. Even If the information you entered was fake. So what was the deal?

Well, after checking on your info, the one thing Equifax did make easy was enrolling in their free credit monitoring service. But as all of us have found in the scope of general life, nothing comes for free. Enrolling in the service came with some very very fine print – if you enrolled in the program, you waive all rights to sue Equifax for any damage their breach could have caused through their arbitration clause. Awesome, right? They get users enrolled in their programs and legal immunity against those users at the same time. It’s a pretty sweet deal for them. Thankfully though, after intense criticism and pressure, Equifax changed this to a user-responsible opt-out clause and finally removing the arbitration clause altogether. Let’s be real though, this clause shouldn’t have been part of the agreement for their services given the absolute train wreck of a data leak that they were involved in.

But this was just the tip of the iceberg. Additional information that was unearthed over the following week took this action from shady activities to what may be pointing to a full blown cover up.

What happened?

It’s been revealed that the vulnerability that was exploited was something called Apache Struts – which to the non-web-savvy is a web server tool that is used by a lot of companies. This information on its own made me cringe as an IT boss. I, as many of my colleagues recall, saw a lot of this activity back in March, with our firewalls and security software coming up with and shutting down attempts to exploit Apache Struts multiple times a day. Patches to plug up the security hole were readily available back in March and even posted as security bulletins from Apache as well as US-CERT (i.e. the Federal Government), which means that Equifax had 2 months to patch up their Apache security holes.

And didn’t.

Granted, there's more than just patching involved to fix a screw-up of this magnitude, but there's more: Equifax reported that July 29 was the date of the hit, meaning two months had passed before they decided to reveal this information with the general public. That's 2 months where they could have started working on it, come up with a game plan, and started a conversation with consumers. Apache themselves put out a statement, citing that “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years,” according to René Gielen, Vice President for Apache Struts.

Firewalls and security software can help keep the bad guys out of your network, but on the inside of the firewall, updating that software and patches for everything your company is running is the crux of protecting users against further threats. I know from running a technical division how much effort my team takes to make sure everything is patched up and protected from vulnerabilities, and the fact that Equifax, who houses information far more important than most companies do, did not, is absolutely mind boggling to me. And that’s both as an IT boss as well as an American consumer.

And while Equifax was taking there time not patching? Hackers were already putting breached information into use.

From idiots to evil?

I really wish this was it, but even more information that came to light showed that while Equifax was going through the motions not patching their networks and hiding critical information from the American public, their officers were seemingly busy financially hedging for what was sure to be a massive loss. After the reported July 29 breach, top-ranking Equifax executives offloaded about $2 million in shares on August 1, raising eyebrows across the country. The company maintains that it was scheduled and they didn’t know anything about the hack, but the timing is just a bit more than suspect. Suspect enough for a bipartisan group of senators urging an investigation of the sale by the FBI, FTC the SEC. You can see the text of that letter to the Chairmen of both the SEC and FTC, as well as Attorney General Jeff Sessions here.

OK. What happens to them?

Equifax has had some “personnel changes” in the wake of this event. Susan Mauldin and Dave Webb, their Chief Security and Chief Information Officers, have retired. But our boy Richard Smith? Still in charge. But as far as government action, Equifax is now under investigation by the FTC, and Smith has been formally called to testify before Congress, and will testify before a special panel on October 3. So we’ll have to see how this plays out.

What about me?

Your first steps should to get a copy of your credit report. Under the FCRA, we are all entitled to one free creit report per year. The FTC has links here on where and how to obtain your credit report through annualcreditreport.com. You can also consider freezing your credit, which blocks any new accounts being made in your name with your social security number. This does not affect your current existing accounts, so you will still have to monitor those.

But otherwise? You’re basically on your own. Using a reactive approach and waiting until your hacked takes a lot of power away from you and limits what recourse you have in reclaiming your identity and credit for theft. The best course of action is to always be on guard. If you yourself are not a technical person or versed in what a disgusting cesspool the internet actually is, ask someone. I guarantee you that they will be more than happy to help you become more proactive about your data security. Granted, that would have done little to stop what happened with Equifax. Unfortunately for the American consumer, someone can be as secure as possible and this kind of event can screw that up.

And having seen friends and colleagues that have been victimized in such a way, there’s an emotional component too. Imagine what you’d be able to immediately do while also dealing with the fear and anger of being hit where you live? Being proactive should be part of everyone’s digital routine in today’s day and age, including vigilance and consistent checks of bank and credit accounts.

There’s nothing we can do about the data that was given up – it’s out there now and it’s not coming back. There's 143 million sets of data out there and the chances of your information being used for something are fairly small, but it's something we need to pay attention to nonetheless. We can try to take this as a lesson, but I understand that for most people reading this, it’s a bitter pill to swallow.

Safer Internet Day - Some Tips for Your Digital Life

The internet contains more and more of our lives these days.  We have online accounts for our banks and paying bills, online shopping, and a number of other types of online activity that put more of us out there.  With social media like Facebook and Twitter this is increased a hundredfold.  And the more of our lives are public, the more we stand to lose if some unsavory digital brigand gets their hands on our digital info.

Hacks happen.  Plain and simple.  Whether it's a brute force attack or poor security or a social engineering scheme, there are people whose livelihood relies on messing with the livelihoods of others.  So we all have to be on the lookout.  So to promote safe internet use and to prevent internet abuse, InSafe established Safer Internet Day, a day to promote awareness for internet safety an internet health for all.  Today, February 5th is the 10th Safer Internet Day, and this year's theme is "Connect with Respect."  The initiative has global support including giants like Microsoft, who has some great resources on their SID site including downloads for how to protect children on line and teach them digital safety, as well as some guidelines on how to keep control of your digital life.

So in that spirit, I thought it would be a good idea to give you all some tips for internet safety.  Maybe you don't think you need them, but it's always good to have reminders.  I work in IT for a living, and I've been hacked before.  Even Mat Honan, part of the crew at Wired Magazine, has been hacked in a very public and spectacular fashion.  It goes to show one is ever 100% immune, but with some proactive measures, we can all make our digital world safer.  This is by no means an exhaustive list, but take a look, and put some of these practices into play.

1.  Good password management: Use complex passwords for your online accounts, especially sites like banking and payment sites.  Make sure your password includes a mix of capital and lowercase letters, with numbers and special characters as well.  Remember - a good password is hard to guess but easy to remember.  Also,  update your passwords regularly and be sure to never send your password to anyone over email.

2.  Control your social media: Facebook, Twitter, Google+ and any other social media site you use have increasingly become targets for hackers and other online miscreants on an information hunt.  These services give you a way to control who sees what information through privacy settings.  You can set up exactly how public you want your information to be.  For example, your Facebook privacy settings should probably be kept at "friends only" to be on the safe side.  And on content you choose to keep public, think twice before you post something that could be potentially embarrasing or damaging to your digital reputation.

3.  Suspicious email: Email is a popular way for hackers to hit users with phishing scams, trying to trick them into clicking links to malicious content or handing over information they wouldn't normally hand over, like credit card numbers.  Ask yourself if there's any reason you'd be getting a particular email.  If not, it might be safer to not open.  Another red flag is if there are attachments to the email that you don't recognize.  And another trick is to hover your mouse over links in the body of the email.  When you do, a tiny box will appear telling you where that link really goes.  Because a link that says Blizzard or Amazon may lead somewhere else that you  don't want to be.  Phishing emails become a lot more common during certain times of the year - namely holidays, tax season.  Some of them also claim to be from the government asking for your information.  Remember that a government entity like the IRS will always send you official communications in writing, not over random email.

4.  Stay updated!: Make sure you have anti-virus software running on your computer like Norton or Trend, and turn on the setting to auto update.  This will keep you up-to-date with the latest anti-virus definitions to protect your systems.  A good anti-malware software like Malwarebytes is also a good idea.  Enabling automatic updates on Windows will also ensure that you have the latest updates from Microsoft like security patches.

5.  BE PROACTIVE.  There's a lot of stuff you'll come across on the internet, and a lot of it isn't going to be safe.  Flag and report sites and content that are clearly abusive and/or illegal to Google or the entity being abused.  You can also report internet crime to the FBI through the ISC (the Internet Crime Complaint Center).  And if you're one of those tech folks that's in the know, educate people!  Run a presentation on internet safety at your workplace, tell your friends how to stay safe, and practice these tips yourself.

If you're unsure of anything, ask your local computer nerd!  While they may have a gruff and nerdy exterior, they'll always be happy to help someone be proactively safe on the internet.  Or leave a comment or ask me a question if you have them.  The internet can be a scary place, so make the right decisions and surf safe.