In May 2017, the credit monitoring firm Equifax was hacked and 143 million individual's personal information was exposed. The hackers gained access to millions of social security numbers and many people are at serious risk of identify theft. This is the worst corporate data breach in history. Equifax says it knew about the mega breach at the end of July and took six weeks before it notified the public. Equifax set up an additional website to address questions and offer free credit monitoring, a breach response page, but that page had bugs and issues as well. Also, Equifax tweeted a phishing link four separate times instead of the correct response page link. The public was not pleased that Equifax knew about the breach but did not immediately report it.
Upon further investigation of Equifax's system, the Apache Struts web-application software, it was discovered that the vulnerability of the system was disclosed to the company in March and the company chose not to remedy the situation. They did not install "the patch" which would have fixed the issue and the breach would ultimately not have occurred. The hackers knew about the vulnerability of the system because it was public knowledge and used it to their advantage. Many individuals filed lawsuits against the company.
The Federal Trade Commission investigated the Equifax data breach. They discovered that four members of the Chinese military were the culprits. The hackers identified a flaw in the software where U.S. consumers disputed problems about their credit reports. They were able to access the names, birthdates and Social Security numbers of the victims. However there is no evidence that the Chinese military used this information for illegal purposes.
The four members of the Chinese army were charged for the crime. The criminals were able to go undercover and act as authorized users of the system. They covered their tracks well by accessing 34 servers in 20 countries, compressing the files for more inconspicuous transmission of them, using remote-desktop access, and encrypted log-ins. The FTC discovered that Equifax had a patch for the software 2 months before the hack and chose not to install it. The Apache Foundation supported the claim by stating that the breach was due to Equifax's failure to install the security updates.
References
Bomey, N. (2020, February 10). How Chinese military hackers allegedly pulled off the Equifax data breach, stealing data from 145 million Americans. USA Today. Retrieved November 2, 2020, from https://www.usatoday.com/story/tech/2020/02/10/2017-equifax-data-breach-chinese-military-hack/4712788002/
Newman, L. (2017, September 14). Equifax Officially Has No Excuse. WIRED. Retrieved November 2, 2020, from https://www.wired.com/story/equifax-breach-no-excuse/

Interesting topic! It is shame that some people want to commit theft and some flawed systems allow them to do it. What is more disappointing is that Equifax took six days to report the breach. I wonder what was going through their minds when this first happened. Do you think they made matters worse because they took so long to report making them suspicious?
ReplyDeleteI love the blog post! The one thing that bothers me is that Equifax takes nearly six days to figure out millions of customers had their personal information taken. This important information that was taken away from millions consists of social security, date of birth, and home addresses. I just want to know more about whether or not other multi-billion companies are at risk of issues like hacking. Do you believe that companies should implement more regulations and rules on hacking?
ReplyDelete