The breach of the credit monitoring firm Equifax, which exposed extensive personal data for 143 million people, is the worst corporate data breach to date. But, incredibly, the mistakes and the superlatives don’t end there. Three weeks since the company first publicly disclosed the situation, a steady stream of gaffes and revelations paint a picture of Equifax’s deeply lacking response to catastrophe.
Equifax’s bungles kicked off quite literally on day one, when the company directed potential victims to a separate domain—equifaxsecurity2017.com—instead of simply building pages to handle the breach off of its main, trusted website, equifax.com. Observers quickly found bugs, some of them serious, in that breach-response site. All the while, Equifax asked people to trust the security of the site, and to submit the last six digits of their Social Security number as a way of checking whether their information had been potentially compromised in the breach.
The site also seemed slapdash, even though Equifax says it learned about the mega-breach at the end of July, and took roughly six weeks to disclose it. During that time, the company could have conceivably planned and executed a much more robust and reassuring resource for wary consumers.
“There should have been a very comprehensive set of policies and procedures for what to do to respond,” says Jonathan Bernstein, the president of Bernstein Crisis Management, which works on institutional response to all sorts of disasters including data breaches. “It’s going to be more difficult to convince people that they can now safeguard data, because Equifax has undermined their credibility from the way they’ve responded. They made the situation worse.”
Further revelations this week indicate that even more basic problems plagued Equifax’s handling of its response website. In the weeks since Equifax disclosed the breach, the company’s official Twitter account has mistakenly tweeted a phishing link four times, instead of the company’s actual breach response page. Lucky for Equifax, the page isn’t actually malicious. Developer Nick Sweeting set up securityequifax2017.com—versus the legitimate equifaxsecurity2017.com—to show how easy the site is to spoof, and how ill-advised it was for Equifax to break it away from its main corporate domain. But if it hadn’t been a proof-of-conept, the phish Equifax inadvertently promoted could have done a lot of harm. Sweeting says the fake site has had roughly 200,000 page loads.
“When your social media profile is tweeting out a phishing link, that’s bad news bears,” says Michael Borohovski, the cofounder of the website security firm Tinfoil Security.
Equifax also confirmed this week that it had suffered another, previously disclosed network breach in March, though the company did not provide details on what data, if any, was affected. Complicating things even more, a document from Mandiant (the firm investigating Equifax’s more recent incident) obtained by the Wall Street Journalindicates that there was an additional March invasion, likely pulled off by the same attackers who carried out the mega-breach between mid-May and July. The technical details are still murky, but the incidents in March raise new questions about whether Equifax executives who sold almost $2 million in company stock in early August were aware of the breach when they unloaded the assets. Equifax has said that they “had no knowledge that an intrusion had occurred at the time they sold their shares.”
The accumulation of missteps, slow disclosure, and problematic public response with so many millions of innocent consumers potentially affected deeply troubles security practitioners. “These are all indicators of a company that had a horrible security culture,” says Tinfoil Security’s Borohovski. “Unfortunately, the only word for it is negligence.”
And the more recent mistakes join a list of other revelations that Equifax had a disorganized approach to security, and a naiveté about the possibility of a breach. The fact that attackers got into Equifax’s systems through a known vulnerability with a patch available galls security analysts. But the company also acknowledged that it knew about the patch when it was first released, and had actually attempted to apply it to all its systems. This inadequate effort hints at the truly haphazard nature of Equifax’s operation. Other anecdotes—like the digital platform used by Equifax employees in Argentina that was guarded by the credentials “admin, admin”—simply expand this picture.
“Equifax sits on the crown jewels of what we consider personally identifying information,” says Jason Glassberg, cofounder of the corporate security and penetration testing firm Casaba Security. “You’d think a company like that, guarding what they’re guarding, would have a heightened sense of awareness and that clearly was not the case.”
Many experts note that this Equifax breach could represent a turning point in how institutions handle personal data. Though previous massive breaches have motivated some industry-wide changes, they haven’t has as much potential for menace as the Equifax incident, which may have exposed almost half of the US population’s Social Security number (not the mention other data) and may put all of those people at serious risk of identity theft. Seeing so many of Equifax’s missteps together may serve as a warning for the collapse that can eventually occur when security is an afterthought over decades of a company’s growth and expansion.
“There’s no question a company like Equifax would be targeted all the time [by hackers] and that’s hard, but all of this really speaks to poor security practices and a lackadaisical response,” Casaba Security’s Glassberg says. “My hope is that this really becomes a watershed moment and opens up everyone’s eyes, because it’s astonishing how ridiculous almost everything Equifax did was.”
The incident has certainly raised awareness about the vital importance of minimum corporate security, but whether regulators and legislators can actually deliver more accountability is another question entirely.