Earlier this month, American credit-reporting corporation Equifax announced that it had been the victim of a database breach that left over 143 million Americans’ personal information vulnerable, alongside an undisclosed amount of Canadians and UK residents.
The reason the Equifax breach is so significant is due to the sheer amount of highly sensitive personal information it stores on its servers. The company’s pervasiveness is due to its services being used by a myriad number of banking institutions when it comes to vetting people for anything from a loan to verifying credit history.
A little trading amongst friends
In-between the time that the initial breach was discovered (late July) and public disclosure (early September), several higher-ups at Equifax sold off large chunks of their stock, leading one-third of US Senators to ask the Securities and Exchange Commission and the Justice Department to investigate the individuals for insider trading. Executives sold off stock and netted almost two million dollars in early August. The timing seems to be a little suspect, and many want the US government to intervene and investigate the issue at hand.
The luck of the draw
The troubled company is offering the public a chance to verify whether or not it has been part of the breach through its TrustID product and website. The catch, however, is that the website can’t actually tell if your information has been compromised and will return a random outcome, not actually allowing you to understand if you have actually been affected. People who have entered the same information a number of times will receive randomly-generated yes/no results, and the site will also prompt users to continue to enroll in the TrustID program on the results page. The Terms of Service for TrustID appear to make it more difficult for claimants to pursue the parent company if they do sign up for the product, and many believe the site to be an easier way for Equifax to discount claimants in the future once the eventual class action lawsuit hits the courts.
Suing for fun and profit
If you’re one of the many Americans affected by the breach, the DoNotPay chatbot can help you file papers. Originally designed to help combat parking tickets, DoNotPay creator Joshua Browder (one of the many affected by the breach) hopes that the bot will help “bankrupt Equifax”. User beware, however: local laws governing the filing for damages differ from state to state, so depending on where you are, it may be a bit more of an involved process when it comes to properly filling your claim.
Canadians may feel the burn too
Equifax Canada is also feeling the mounting pressure to disclose how many Canucks have had their private information leaked out. The Canadian Automobile Association (CAA) recently announced that it had partnered up with Equifax as part of an identity protection program, and had about 10,000 members participating. It appears as though the American arm of the company was the one responsible for housing CAA member information, though the parent company remains tight-lipped about the extent of the breach for those outside of the United States.
South American troubles
It has been revealed that the American arm of the company isn’t the only one with security holes that needed to be addressed; it’s been reported that the Argentinian portion of the company had the credentials for an employee tool set to “admin” for both the username and password. The tool, a web application called Ayuda (Spanish for “Help”), allowed users access to the personal information of tens of thousands of people living in the country.
Blaming the Open Source guy
While Equifax was out there lobbying for easier regulation prior to its late-summer data breach, an anonymous source has been quoted as saying the breach occurred due to a vulnerability in the open source Apache Struts server framework. There are several issues with this theory, which are outlined in the above weblink, making it hard at this time to say whether or not that this is indeed how hackers gained entry into Equifax’s databases.
The future, or lack thereof
The US Federal Trade Commission (FTC) has recently taken the extraordinary step of issuing a statement that it is in fact presently investigating Equifax](http://www.reuters.com/article/us-equifax-cyber-ftc/ftc-probes-equifax-top-democrat-likens-it-to-enron-idUSKCN1BP1VX). The FTC usually does not comment on whether or not it has active investigations and probes, but due to the extensive nature of the breach, it felt compelled to let the American public know that it is looking into the matter.
However this situation plays out, it does make it clear that there is a need for stronger guidelines and stronger implemented security features in place when it comes to the storing and disclosing of sensitive information. It may take years for the process to play out, given the many legal tangents that have appeared in the week since this story came onto the scene.
If you believe you may have been affected, a user over at the YouShouldKnow subreddit has a pretty good jumping off point to figure out actionable items that you can undertake in order to protect yourself. While you cannot change what’s already happened, you can at least step up to prevent potential future damages to yourself.