Equifax’s Technology: What Happened?

by Jerry Stern, PC410.com

I’ve been asked many times “Can I be hacked?” The answer is “generally not without your help.” Hackers of low-value targets (any small business) are sending you links to malware and hoping you’ll click into something that installs software that will search and monitor your computer and online activity for email account logins and credit card numbers. That’s pretty-well blocked by good ‘antivirus’ software, unless you click to let it in. Hack attempts for high-value targets, like global companies and government angencies, are custom-tailored hack attempts, and they’re looking for network access to a lot more than an email account or credit card. Both of these situations are hack attempts at the level of a worker’s computer.

That’s not what happened at Equifax. They had unpatched software (“Apache Struts”) on a web server, open and available to the outside world through their set of web sites; Apache Struts was widely-installed, with a patch available on March 7th, but not installed at Equifax. Once the patch was announced by Apache, the hackers knew where the problem was on many servers, and some time later, found that issue at Equifax, and used it to gain access to Equifax servers.

Web sites are scanned by hackers continuously for known security gaps, and that’s what happened to Equifax. They didn’t monitor, patch, or detect the problem, the invasion, or the downloads in a way that any other company in financial services would have. If we were their customers, we would leave, and they would be gone. That’s not the case here. They sell their services to banks and other credit monitoring companies, not us. We are a commodity, not a client.

Put simply, Equifax profits from the breach. They are.offering free credit monitoring to anyone impacted by the breach. That credit monitoring won’t be free forever, although their sign-up page is not currently asking for any card numbers. BoingBoing.net estimates that if 1% of the free users continue their monitoring next year, Equifax will make an extra $200 million per year. Equifax will also receive millions from other credit monitoring companies that pay Equifax for credit reports, and from the Federal government, who pays Equifax as the exclusive provider of identification confirmation services. Here’s their analysis:

What To Do

Andrew Bareham has listed the financial steps above. Remember that the stolen data doesn’t expire. Prevention is key; cleaning up after identity theft takes years. Freezes are less hassle than cleaning up later.

For better protection against hacks that happen on your own systems, there’s a one-page document from KnowBe4.com that summarizes what you need to know about social engineering. That’s the set of tricks used to convince you to click a fraudulent message.