A security researcher who previously exposed Equifax’s cybersecurity vulnerabilities is speaking out in the wake of the massive data breach, saying that the credit-reporting company was warned to fix its defense systems.
Equifax announced in September that crooks broke into its computer system, exposing as many as 145.5 people to identity theft. And that’s just an estimate, it may take years, even decades before we really know how many people were impacted.
The researcher, who spoke to Motherjones on a condition of anonymity, said that the Atlanta-based company didn’t take his advice, which was given in December.
“It should’ve been fixed the moment it was found. It would have taken them five minutes, they could’ve just taken the site down,” the researcher said. “In this case it was just ‘Please take this site down, make it not public.’ That’s all they needed to do.”
But we now know what the company actually did do: Very little. The agency waited until the following summer to take the site down, by which time the personal information of tens of thousands of people was at risk of being compromised.
Equifax warned of vulnerability months before data breach
Equifax’s problems stemmed from a web portal that somehow was left unencrypted — open to anyone on the web.
“All you had to do was put in a search term and get millions of results, just instantly — in cleartext, through a web app,” the researcher was quoted as saying. He said the personal data of all of Equifax’s customers could be downloaded in 10 minutes.
I’ve seen a lot of bad things, but not this bad.
The revelation comes as a European body announced this week that it, too, is investigating the embattled company. Turns out nearly 700,000 U.K. residents were affected by the data breach as well.
The U.K. Financial Conduct Authority said Tuesday that its probe will focus on the effects of the leak across Britain.
“Hundreds of thousands of people in the U.K. have been affected by the Equifax data breach,” British lawmaker Nicky Morgan, chair of the House of Commons Treasury Committee, told Bloomberg. “The FCA is right to investigate the circumstances surrounding it.”
With this new information, here’s a timeline of the Equifax data breach:
- August 2016: MSCI warns Equifax of vulnerability to data breach
- December 2016: Security researcher discovers hack vulnerability, tells company of flaws; Equifax allegedly does nothing
- March 2017: Agency learns that hackers broke into their computer system
- July 29, 2017: Equifax’s Security team observes “suspicious network traffic” associated with its online web portal and blocks it
- August 1, 2017: Two Equifax executives — Chief Financial Officer John Gamble and Joseph Loughran, Equifax’s president for U.S. information solutions — sell stocks before the hack was dislcosed, according to multiple news reports. Rodolfo Ploder, president of workforce solutions, reportedly sells company stock a day later.
- August 2, 2017: Equifax hires Mandiant, a cybersecurity firm, to investigate the hack and find out what was exposed
- September 7, 2017: Company announces that “criminals” exposed as many as 143 million people to identity fraud
- September 8, 2017: Company lets users enroll in the TrustedID Premier service, which includes clause freeing them of liability in a lawsuit
- September 26, 2017: The Board of Equifax announces that Richard Smith is out as Chairman/CEO effectively immediately
- October 2, 2017: Mandiant’s concluded investigation shows that an additional 2.5 million U.S. consumers were potentially impacted, bringing the total exposed in the hack to 145.5 million
- October 12, 2017: Equifax confirms it was hacked again, this time with a fake Flash installer application. The company is investigating the attack to learn more
- October 16, 2017: Equifax loses appeals hearing on cancellation of $7.2 million contract with IRS.
Money expert Clark Howard says in the wake of the massive data breach, the one true protection U.S. consumers have is to freeze their credit. “It’s imperative that you freeze your credit with all three main credit reporting agencies: Equifax, Experian and TransUnion,” he writes.
Equifax breach: 5 things to expect when freezing your credit