Equifax: What Happened and What You Can Do

Part One: Technical

Feel free to skip this section if you are not interested in how Equifax was hacked. I’m not going into extreme detail, just enough for the average person to have some idea of what happened.

The reported source of the breach, a bug in Apache Struts (CVE-2017-5638), was first discovered in March 2017 and patched on the day it was discovered. Since the access to Equifax’s systems occurred May through June, well after the patch was available, there is only one possible root cause: Equifax failed to deploy the patch. The bug allows an exploit of file uploading in which specifically crafted content-type headers contain remotely executed arbitrary commands.

Another bug, CVE-2017-9805, has been claimed to be responsible, but this was before Equifax itself confirmed that CVE-2017-5638 was the bug in question. It is likely that 9805 was incorrectly guessed to be the source because it is another severe bug that allows remote code execution by an unauthenticated user.

Additionally, other security professionals have identified numerous issues with Equifax’s systems in the aftermath. These include administration web panels being open to public access, incredibly weak credentials for authentication (one panel reportedly accepted “admin” as a valid login, both username and password), and data both on those web portals and in data supplied by the hackers was unencrypted plaintext.

For any non-technical readers still with me at this point: default username/password in a web panel like admin/admin is a security horror. Publicly accessible administration sites are sometimes necessary, but good IT practice is to secure these sites as far as possible, though a much better option is to keep such sites inside a corporate network (ie, not open to the internet) and have remote employees access them via VPN. But the worst of this is that confidential information was stored in plain text in a database. Typically that sort of information should be either encrypted or at a minimum obfuscated.

Part 1 TLDR: Equifax’s poor security is to blame for this hack, and for the potential impact of the data exposed.

Part Two: What Was In The Breach?

Short answer: enough to easily commit identity fraud against about 100 Million Americans.

Long answer: social security number, full name, addresses (probably the entire history the agency kept), credit score and possibly account balances, and possibly driver’s license numbers. Approximately 143 Million records were exposed, of which just under 100 Million were of US Residents. The other records include Canadian and South American consumers. Equifax denies that any of its credit reporting data or history was accessed at this point, but given the nature of the data exposed and the poor security practices, it’s hard to be confident of this claim.

Part Three: What Can I Do Now?

FREEZE YOUR CREDIT

Freeze your credit, and perhaps use some credit monitoring to make sure nothing else happens. Freezing your credit will prevent anyone from pulling your credit report. You are able to either unfreeze it or create temporary codes for specific creditors to access your report, and also create temporary lifts of the freeze so that your credit is accessible for a short period.

Bad news and good news: credit reporting agencies charge for this service, however how much they can charge is limited by state laws, and in some states this service is free. Here is a list of total costs to freeze your credit by state. Equifax has waived its fee temporarily. Additionally, some US Senators have introduced a bill that would make credit freezes free.

Additionally, there are two smaller credit reporting agencies with which you may want to initiate a freeze. These agencies will each give you a PIN (or allow you to select one) that you will need to unfreeze or temporarily life a freeze; be sure to keep it!

Links to security freeze online:

Equifax or call 1-800-349-9960

TransUnion or call 1-888-909-8872

Experian or call 1-888-397-3742

Innovis

ChexSystems

WAS YOUR DATA EXPOSED?

Please follow these steps precisely, as Equifax’s site is a bit awkwardly designed.

Visit https://www.equifaxsecurity2017.com/enroll/
Click the “Begin Enrollment” link
Enter your last name and the last six digits of your SSN.
Click the “I am not a robot” checkbox and follow the instructions to complete the anti-bot check.
Click “Continue”
If the following message says “Based on the information provided, we believe that your personal information may have been impacted by this incident.”, everything detailed in Part Two here is now likely as good as public information.
If not, thank goodness, but I still recommend freezing your credit.
Equifax is offering credit monitoring service for free; at first the agreement for this included a binding arbitration agreement (meaning you had to agree not to bring a legal suit against them, but to instead follow arbitration protocol, which involves a mediating third party and negotiations), but that clause has since been removed, so it may be safe to sign up for, but in the case that legal advice is readily available to you, it may be prudent to seek that before you do.

Part Four: What Else Can I Do?

First, bringing a lawsuit against Equifax is not likely to work out well. A class action suit is probably already under way, and the total liability probably greatly exceeds the company’s actual value. Basically, there’s good reason to suspect that Equifax may be put out of business, and the cost of obtaining any kind of monetary compensation from them may exceed the likelihood of being able to actually collect.

Additionally, and I must preface this with the fact that I am not a lawyer, it is likely that consumers whose data was taken could not successfully bring a suit unless their data was actually used. This would provide actual dollar values for damages on which the value of a suit could be calculated. It may also be that a successful suit in small claims court might prevent further suits when a consumer’s data is actually used later on. That is to say, suing now could feasibly make it harder or impossible to sue later when your stolen data is actually used to harm you. But as I said, I am not a lawyer, and seeking the advice of a lawyer is always preferable to guesswork.

You can and should write your Senators and your Representative in the House. You can look them up at senate.gov and house.gov. Perhaps needless to say, there's already been quite a bit of motion on this issue in Congress, but your input in the political process is always valuable. It is no small problem that these credit reporting agencies hold significant and confidential data on you, and you have never specifically agreed to do business with them. They make money off of data they have basically laid claim to with no real public assent.

Further, if you are in a position in your own organization to push for better security policies with user data, or even to implement such policies, please do so. Network security, and data security generally, are paramount issues that few organizations take as seriously as they should. Public education on electronic security is insufficient to the cause, and consumer services and devices are riddled with security flaws that in many cases could have been adequately addressed by available software patches or basic security procedures. Where you can, push for software to be updated, patched, and security audited.

Personally you can begin by changing all of your passwords online to long, unique (do not re-use passwords), and hard-to-guess phrases (do not use personal information). A password manager like LastPass, DashLane, KeePass, or 1Password will help. Read this article for additional information on how identity theft happens and what to do if it happens to you.