The massive – and avoidable – data breach at credit agency Equifax has left millions of consumers at risk, but don’t expect anyone to be held to account
Last week, much of the tech world was temporarily unhinged by a circus in Cupertino, where a group of ageing hipster billionaires unveiled some impressive technology while miming the argot of teenage fandom (incredible, amazing, awesome, etc) and pretending that they were changing the world. Meanwhile, over in the real world, another tech story was unfolding. Except that this is not just a tech story: it’s a morality tale about how we have come to inhabit a world in which corporate irresponsibility, incompetence and greed goes unpunished, while little people can’t get a loan because they have an incorrect blemish on their credit records, which is almost impossible to detect and correct.
This story concerns Equifax, an outfit of which I’m guessing you’ve never heard. Nor had I. It’s one of the three largest American credit agencies (the others are Experian and TransUnion). Its business – its only business – is to collect, securely store and aggregate information on more than 800 million individual consumers and nearly 90m businesses worldwide. If your application for a loan is declined, or your credit card suddenly ceases to work, the chances are that it’s because some kind of warning flag has popped up on the screens of one of these three companies. So the personal information that these agencies hold is the most sensitive and potent kind of data there is.
Equifax will continue its erratic custody of precious data because it’s too important to the US economy to be shut down
You can guess what’s coming next. Sometime between mid-May and July, Equifax was hacked via a security flaw in the Apache Struts software that it used to build its web applications. The flaw, which gave hackers an easy way to take control of sensitive sites, had been fixed on 6 March and patches were made available to every organisation that used Struts. That meant, as various commentators pointed out, that Equifax’s IT department had the tools to plug the security holeand two months in which to do it. For some reason, they didn’t.
As a result, the hackers were able to steal the personal information of 143 million Americans. It is the most important financial data available on any citizen – names, dates of birth, social security numbers, home addresses and in some instances a lot more, including credit card details of more than 200,000 US consumers (and some UK consumers). It’s everything you need to engage in identity theft on an epic scale. “On a scale of 1 to 10 in terms of risk to consumers,” said a fraud analyst at consultancy firm Gartner, “this is a 10.”
But wait, there’s more. Equifax discovered the breach on 29 July, but didn’t reveal it publicly until 7 September, no doubt because the internal investigation was long and complex. During that period, however, three of its senior executives unloaded shares in the company valued at $1.8m. But this, apparently, was completely coincidental: the poor dears (who included the chief financial officer) were not aware that an intrusion had occurred when they sold their shares. Still, 36 nasty suspicious US senators have now written to the Department of Justice, the Securities and Exchange Commission and the Federal Trade Commission asking them to look into this, er, fortuitous trading.
For full story, Please click here.