24X7 Support Portal

Our thoughts on the Equifax Breach of 2017

September 14, 2017

Net Friends has been asked by several of our customers what they should do to respond to one of the biggest data breaches ever, the Equifax Breach of 2017 that resulted in the potential loss of sensitive information that could be used for identity theft, impacting just under half of the entire US population, or 143 million people.

Our guidance on a personal level is to assume your identity data held by these credit bureaus has been already compromised or will be soon, and the only preventative and protective actions available to us consumers are setting up credit freezes with the four main credit bureaus, linked here: EquifaxExperianInnovis and Trans Union.

If you are a business owner or a stakeholder in a business, we recommend you perform an IT Risk Assessment on your business.

There are plenty of articles providing guidance to individuals regarding placing credit freezes or increasing their scrutiny and use of free credit reports; all standard advice given to individuals in the immediate aftermath of an identity theft scare or event. Below is Net Friends expert and candid advice regarding this situation that goes well beyond this standard advice.

Webserver vulnerabilities are of critical importance

At first, we had little to go on about the specifics of the breach. The scant details provided raised the specter that Equifax staff could not determine key facts about the breach, which was almost as troubling to us IT Experts as it was to initially learn of the size and scope of the data that was breached. When scant details are shared about an incident, this usually means that several critical details are unknown or unconfirmed.

On September 13, 5 days after the public learned about the data breach and potentially as many as 60 days since Equifax internal staff learned of the data breach, we were given some information about how the hackers got into Equifax. In their own words: “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

What most consumers need to know is that Equifax, along with thousands of other websites, use Apache Struts and related components (also known as plug-ins) to make their webpages work properly. A good technical overview of both how Apache Struts works and the vulnerability that was exploited in the Equifax attack can be found here. But beyond the details, here’s the main things we all can take away from this incident:

Key takeaways here are to remember that your websites are publicly available to anyone in the world, 24 x 7 x 365. Because of their accessibility, they are naturally more vulnerable. If you have a website, you need to make sure it is kept rigorously up-to-date both by your website host provider and your developer. Consider whether your website is of higher risk than others, and whether you need to invest more resources and time into keeping it regularly reviewed and secured by knowledegable professionals through Risk Assessments or Penetration Tests (also known as PenTests).

Net Friends Network Operations Center

Look before you leap

While it’s tempting to jump to the TrustedID site and sign up for a year of free credit monitoring, consider this first: the website we all were directed to check to see if we were included in the 44% of Americans who were victims of the breach had several key problems at first, such as:

The TrustedID site might be a valid portal for enrolling in a valid credit protection service with Equifax, but the 4 main problems above make it difficult for Net Friends to advise customers to take advantage of these services or to use the TrustedID site. The logic behind how the site was setup and how it appears to be working elevate our concerns that participating in the services that are offered there will be effective in providing useful protections.

Know who you are dealing with

Sadly, we are not Equifax’s top priority as Americans and consumers. Equifax is in business to sell products to banks and other businesses who are assessing the credit worthiness of each of us. The credit bureaus (such as Equifax, Experian, Innovis, and TransUnion) are not incentivized to service our needs. Contrast the credit bureaus with Amazon or Walmart, two mega companies who would perish or be out competed if they didn’t prioritize the consumer experience and perception.

While this may sound cynical, based on the current incentives of the credit bureaus they are likely going to prioritize avoiding increased oversight and regulation by Federal and State government agencies as much as or even more than they will focus their energies on strengthening their system security and data integrity. Meaning they might spend as much or more on lobbying Congress as they will on improving cyber security.

If this incident has sufficiently weakened your trust in our credit bureaus but you don’t want to just run from the world or revert entirely to dealing in cash, there are still several steps you can take that we will elaborate on in future posts. At the end of the day, this Equifax data breach appears to be a standard data breach in that there was a vulnerability in some software that was exploited by a hacker to gain access to data they shouldn’t have.

What now?

We will repeat what we stated at the top of this article verbatim:

Our guidance on a personal level is to assume your identity data held by these credit bureaus has been already compromised or will be soon, and the only preventative and protective actions available to us consumers are setting up credit freezes with the four main credit bureaus, linked here: EquifaxExperianInnovis and Trans Union.

If you are a business owner or a stakeholder in a business, we recommend you perform an IT Risk Assessment on your business.

If you have additional concerns, contact us to discuss and engage with our experts! We are in a terrific position to help you secure your website, assess your risks and company security approach, and help you continue to do what you do best while you work within our increasingly interconnected world.

Contact Net Friends Today
919-680-3763

Contact Us