As most everyone who absorbs a daily dose of news knows, Equifax got hacked and now the personal information for 44% of the US population has been stolen. Most likely, if you’re an avid consumer participating in the credit industry machine, your information got pwned. It’s likely that most of the people you know who work, pay bills, use the Internet, and buy things with credit cards or with loans got pwned.
This has got to stop. Equifax was hacked due to Apache Struts CVE-2017-5638, and a patch was available, but not applied to their web-servers!
I do IT stuff. So to say. I also know that no matter what operating system I use that there are automated ways of updating my OS and software. If there aren’t, then I’ll script something that will do it for me. I install security and functional updates as soon as they’re available. I watch the blogs, security advisories, email lists, news feeds, etc… And it’s probably still not enough. If I had the budget, I’d dedicate someone to security as I don’t think even a small company can afford the type of breach that Equifax will most likely weather and carry on, using our personal information as their product.
And we have to face it: we are their product. Our information is what they use to make money. How the hell is that even legal? Oh, probably because money. Money. That tends to drive most everything doesn’t it? Or at least the love of it and the greed for as much as possible. It’s worse than Heroin, as it seems.
The vulnerability that allowed Equifax to get hacked was specific to Apache Struts, a framework for running Java under Apache. It’s not super common because most people running Apache are using PHP — most new servers deployed on the Internet last year (2016) were supposedly using PHP. Anyway, my point is that you shouldn’t worry that it is a common exploit — it’s been patched and Struts is popular, but not used by everyone.
Still, you have to wonder about their architecture that allowed the balance of all their sensitive information to be plucked away so easily. Did they not perform Risk Management? I would think that such a company with such incredibly sensitive information would have. And if they did and it still happened then maybe they hadn’t implemented their plan to fix any weak parts? I just can’t believe that Equifax took information security serious enough. Equifax is a company with the EXACT information that hackers are always looking for — you’re a prime target! When I worked in the video game industry I found out that as developers, you’re targeted constantly and you have to always be proactive. You can never let your guard down. And in the case of Equifax, they’re probably one of the biggest treasure troves a hacker could ever hope for besides the keys to the bank itself.
When I hear about massive IT failures on this level, I first experience a bit of sympathy for the staff and people who have to work 24×7 until it’s fixed and they’re confident the intrusion has been contained. But, with this, their IT staff blundered in such a way that it will most likely affect me and cause me to have to spend my own time dealing with it. It’s a huge inconvenience to me, their unwilling product.
Deep in my heart, I’d like to see Equifax go away. I’d like to see it sued out of existence. I’d like to see the government step up and slap some hardcore regulations on the industry but there’s no chance of that happening right now. In fact, sad to say, all we can do right now is be mad and buy some credit protection. We don’t have a choice but to be part of this credit industry machine — there’s no way off this ride if you want to be an active part of society and buy things. Even greater is the affect the credit industry has had on renting property, leasing, and even employment — what happens now?
I want to see regulations that say they can’t keep my personal information at all. But you know that’s not going to happen — we have an established industry that has money to lobby and influence. I’d like to see regulations in place that prevent them from at least storing my SSN but that’s the key identifier in credit reporting. A number that was never intended to be used for it — but try to get credit or a loan without giving it up.
So the way I see it now is that they have us and there’s little to nothing we can do aside of hoping for laws and regulations to protect our information. When industry giants screw up it can hurt everyone and in this case, it probably will. We’re their product, unwillingly. And in America, corporations have more power than me or you.