Ok. Here it goes… The House Oversight and Government Reform Committee has completed and released their report regarding the huge 2017 data breach and information leak of Equifax, the world’s largest credit monitoring company, and yes, it’s equally as stupid and enraging as anyone with a functioning brain thought it was. Why? Because of the company’s sheer laziness and arrogance, they failed to install a simple, basic security patch to their database that would’ve prevented the data breach. DEAR. FREAKING. GOD! When anyone complains about updating their computers or smart devices, remind them of this.
The breach affected approximately 148 million customers last year, and despite their constant corporate failings that led to the data breach (I’ll get to those later), Equifax has yet to face significant repercussions. The House committee’s report pulled no punches, criticizing the company’s handling of the events leading up to, during, and after discovering the breach. Former chief executive Richard Smith, who “retired” following the breach, at one point bragged that “almost 1,200 times” the data held within the Library of Congress every day, and then passed the blame to a single IT employee.
So, here’s what happened. First, Equifax failed to patch their open-sourced Apache Struts web server, despite the Department of Homeland Security disclosing and announcing a vulnerability warning months prior. Essentially, their server was powering its FIVE DECADES OLD web-facing system that let customers check their credit scores via their web site. This allowed attackers to exploit the unpatched system and grab as much data as they could and whatever they wanted with it. AUURRGGH!!
Here’s a damning exerpt from the committee’s finding:
“Equifax did not see the data exfiltration because the device used to monitor [the vulnerable server’s] network traffic had been inactive for 19 months due to an expired security certificate…Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented”
The House Oversight and Government Reform Committee
It would take another TWO months for Equifax to update the LONG-EXPIRED certificate, at which point their staff had “immediately noticed suspicious web traffic.” Then ANOTHER TWO MONTHS LATER, Equifax went public about the data breach, and the flood gates of attention, disgrace and anger were released. Plus, Equifax’s own former chief information officer David Webb — he also “retired” following the incident — told House investigators that the entire episode could have been prevented had the company updated their vulnerable Apache Struts system within the FIRST TWO DAYS of the security patch’s release. SMDH…
Oh well, what about that Stranger Things Season 3 trailer, huh?