And now the details are finally out, confirming our worst fears. One of USA’s credit reporting company, 118-year old Equifax, was the subject of the world’s biggest ever data breach in terms of numbers and impact. The hack lasted from mid-May through July, enough time for the hackers to access people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers of about 209,000 people and dispute documents with personal identifying information for about 182,000 people. It can’t get more devastating than that, right? Wrong! They grabbed personal information of people in the UK and Canada too. Clean sweep.
“How could this happen?” the world wondered. Surely there is no way the US government, with all its firepower, could sit pretty as a staggering 143 million citizen were summarily ushered into financial risk for the rest of their lives.
On Tuesday, Equifax revealed that the breach was due to an Apache Struts vulnerability. Apache Struts is a free, open-source software used to create Java web applications. Several vulnerabilities have been reported, all since patched, but Equifax has not said which one was involved in this breach. And so the head scratching continues. Was it due to an older vulnerability? If so, why wasn’t the flaw patched?
If it was a new and unknown flaw, which should have been detected either way, why wasn’t there an effort to make things right before they came to a head? Did money change hands? With brokers having no qualms spending north of a cool $1 million for crumbs of data, the theory that the hackers were given a Messi-esque through pass to the data center suddenly holds water. If you still have doubts, then this will make you climb down the tree: Three senior Equifax executives sold shares worth nearly $1.8 million days after the breach was discovered and weeks before it was made public, when the stock tanked. Everything, quite unfortunately in this case, has a price.
Although irate US Senators have demanded clear answers from the honchos at Equifax, this is something even the best in the game will be at pains to explain. Indeed, Legibra’s CTO Kagai Macharia, known for his no-nonsense anti-hacking approach, is still finding his feet on this one. “This is crazy!” he told this writer at Legibra’s headquarters in Nairobi, Kenya. “I am surprised that such a corporation would base its operations on an open source software. Nonetheless, Apache has some degree of safety because users can inspect the source code and make sure it’s secure. So something is amiss here. I don’t know …”
The Equifax CEO braved the calls for his head to tell an already stunned world that the intrusion was first discovered on July 29, a whopping 6 weeks before the news was made public. And despite engaging a cyber security firm to contain the situation, he could not place a finger on the cause of the breach, nor give any firm assurances.
You would think that Equifax’s PR department would pick the ball dropped by its IT department. But the firm’s website, which (it has to be said) was not #MadeByLegibra, provided confusing and conflicting info. Soon everybody turned into social media to let their fears known as others combined to file 23 class-action lawsuits, creating another storm to go with Hurricane Irma.
The worst part of all this is that the hackers, who could very well be an enemy country, did not leave any trail and it remains to be seen how the data will be used against the 143 million strong. Already some have reported that their bank accounts have been wiped in their entirety and as if that was not enough, credit taken on their behalf.
Someone should have seen the high server load or something like that and prevented this record-breaking disaster from happening. That ship has sailed now, leaving a very expensive lesson behind.