Saturday , October 21 2017

The Equifax Hack Included Almost 11 Million Driver’s Licenses

449808-generic-security-hacking

The Equifax hack exposed critical personally identifying information on more than 145 million American adults. That’s not all adults by any means, but it’s well over half the adults in the country. Now we know that social security numbers, credit cards (in some cases), full names, and home addresses aren’t the only thing the hackers made off with. They got nearly 11 million driver’s licenses, too.

That’s the latest from the Wall Street Journal, which reports that 15.2 million client records in Britain were also compromised. That may not sound like much compared with the United States, but the UK’s population is 65.64 million, which means a significant percentage of the UK was compromised. 700,000 British accounts leaked “sensitive” information as well, though we don’t know exactly what that refers to.

Equifax has been absolutely hammered for its awful response to the hack, as well as the lapses in security that created the situation in the first place. Even after its security was penetrated in March, the company failed to apply mission critical patches, leading to the catastrophic breach. In the wake of the disaster, Equifax has offered free credit monitoring services and fired its CEO, CIO, and chief security officer.

“Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act,” said Patricio Remon, Equifax’s president for Europe. “Let me take this opportunity to emphasize that protecting the data of our consumers and clients is always our top priority.”

The company’s former CEO, Richard Smith, told a congressional committee that the breach was the result of “both human error and technology failures.”

We disagree. While it’s true vulnerabilities existed in Apache Struts that the hackers were able to take advantage of, it is practically impossible to perform a full security audit of every single piece of software before it ships. Even limited security audits that isolate specific code functions can be arduous affairs that drag on for months.

The above is not to dismiss the critical importance of testing software before release–only an acknowledgment of the fact that software bugs are going to exist and will need to be patched post-launch. That’s why so many companies push out security updates on a regular schedule and sometimes respond immediately to critical, zero-day threats. Our existing security model is far from perfect, but it drastically reduces the chance of being attacked if companies stick to regular patch schedules for ordinary security updates and move quickly to apply critical updates when they are released.

If Equifax had been blind-sided by a previously unknown attack vector, we’d agree “technology error” accounted for a meaningful percentage of the problem. But that’s not the case here–a fix was available and appropriately labeled as mission-critical. Equifax simply didn’t apply it.

About Skype

Check Also

Is USB-C Chasing an Unachievable Goal?

There’s an old XKCD comic that brilliantly captures the difficulty of creating a single unified …

Leave a Reply

Your email address will not be published. Required fields are marked *