The Equifax hack and ‘virtual certainty’ of future cybertheft

In this Saturday, July 21, 2012, photo Equifax Inc., offices are seen, in Atlanta. Equifax Inc. is a consumer credit reporting agency in the United States. (AP Photo/Mike Stewart)
In this Saturday, July 21, 2012, photo Equifax Inc., offices are seen, in Atlanta. Equifax Inc. is a consumer credit reporting agency in the United States. (AP Photo/Mike Stewart)

Equifax, one of the three major credit reporting agencies, announced last week that sensitive data from more than 143 million American consumers may now be in the hands of hackers. Credit card, social security, and drivers license numbers are among the information included in the breach, as well as other personal identity data like birthdays and home addresses.

“An uptick in theft and abuse as a result of this breach is a virtual certainty,” said William Robertson, associate professor of computer science at Northeastern. One likely consequence of the hacking event will be attempts to open illicit lines of credit, and other actions that require credit checks, Robertson explained.

Who is responsible for the hacks? What can consumers do to protect themselves in the wake of this massive data breach? Here, Robertson answers our questions and offers additional advice for consumers.

Equifax announced that criminals exploited a website application vulnerability to gain access to consumer data. Who might these criminals be? And what sort of vulnerability did they exploit to gain access?

Attack attribution is one of the most difficult challenges of post-exploitation analysis. So, there’s really no way to know for sure exactly who perpetrated this intrusion without an extended forensic analysis, which has yet to be performed. However, the motive for such an attack is clear, as the information stolen from Equifax will be extremely useful in carrying out a multitude of variations on identity theft.

What we do know for certain is that the attackers used a known vulnerability in Apache Struts, a popular software framework for developing web applications. It is particularly disappointing that Equifax failed to (a) patch its software against this flaw and (b) allow seemingly direct access to its most sensitive data after only one successful exploit instead of having multiple layers of complementary defenses in place.

What can people who were impacted by this data breach do to protect themselves? What should companies do to ensure this doesn’t happen again?

On the consumer side, the first protective action to take is to apply for credit freezes at Equifax, Experian, and TransUnion, the three main credit bureaus. Freezing your credit will make it impossible for a credit check against your records to succeed so long as it comes from a business that you do not already have an existing relationship with, and makes it much less likely that a criminal can, for example, open new lines of credit without your knowledge.

It seems clear that there are still gaping holes in the security practices of certain credit bureaus. For these companies to play so fast and loose with consumer data is frankly unconscionable.

William Robertson
Associate Professor of computer science

Unfortunately, with the flood of credit freeze requests it has been reported that credit bureaus are having difficulties handling the deluge. In addition, it now appears that the PINs being issued to consumers to authenticate legitimate credit checks are easily guessable by attackers, raising the unfortunate possibility that freezes can be circumvented if the initial PIN is not requested to be changed by consumers.

On the other side, it seems clear that there are still gaping holes in the security practices of certain credit bureaus. For these companies to play so fast and loose with consumer data is frankly unconscionable. A good start toward ameliorating the situation would be to apply well-known best practices in operational security such as promptly applying security patches and making use of multiple layers of defenses to compartmentalize and protect their sensitive data.

There has been some criticism about the time between when Equifax knew about the breach and when it informed the public. How long do companies typically wait to inform the public after a hack has been identified?

Company breach notifications generally follow procedures outlined in state law that is usually based on California’s 2002 legislation. This protocol mandates that notification should occur immediately in writing to consumers, so long as immediate notification would not impede any ongoing criminal investigation.

It seems particularly disappointing that a company that provides identity theft protection would be hacked. Is it truly impossible to protect consumer data from hackers online? Is there any way to make data hack-proof?

I wholeheartedly agree that this incident is disappointing, especially since this was a seemingly simple intrusion that could have easily been thwarted if standard best practices had been followed. Protecting data from hackers is indeed a difficult task. However, this instance is yet another indication that companies do not always take this task seriously. In addition to scientific and technical advances, it might be time to seriously push legal and social actions to provide sufficient incentive for companies to safeguard consumer data properly.