I can’t say I’m surprised given the size of the breach, but it’s still worth reporting that:
More than 30 lawsuits have been filed in the United States against Equifax after the credit reporting company said thieves may have stolen personal information for 143 million Americans in one of the largest hackings ever.
At least 25 lawsuits had been filed in federal courts by Sunday, including at least one accusing the company of securities fraud, court records show.
Read more from this Reuters report on Independent.
I’m used to seeing consumer criticism of an entity after a big breach, as well as numerous articles telling consumers what they can do to protect themselves, what lessons can presumably be learned, how the breach happened (often based on what turns out to be inaccurate speculation) and so much more.
In this case, the criticisms of the breached entity seem even harsher than what I usually see. Some of it is self-inflicted injury by Equifax, who created a breach support site that required consumers to input the last six digits of their Social Security number to find out if they had likely been affected by the breach – and then gave them inaccurate information. And to add insecurity to insecurity, Equifax’s breach support site creates a PIN number for the consumer that is simply a timestamp. Now you might think that that would be more enough to nominate Equifax for some Incident Response Wall of Shame, but there’s actually more. Today, Zack Whittaker reports on a vulnerability in the Equifax alerts subdomain.
There are yet other reasons to criticize or mock Equifax, though. For one thing, they do what Experian has done – they offer breach victims their own product as a free/complimentary breach mitigation service. But then that product will end at some point and consumers will have to pay to continue it. So Equifax offers its own product as a “sample” to get more consumers down the road after it has harmed consumers already? I complained about that with Experian, and consumers are correct to complain about it now. In my opinion, credit reporting agencies should be required to offer their competitors’ products as a freebie, too. Maybe paying their competitor to clean up after their mess might be a great inducement for companies to improve their security?
Equifax still hasn’t responded to inquiries sent to it by this site multiple times asking whether claims by the “underground researcher” known on Twitter as “@real_1x0123” have any confirmation. Given that he’s been reliable in at least some of his past claims (such as the PayAsUGym hack) and that he provided a claimed screenshot of file directories, why hasn’t Equifax answered this site’s questions? I know Equifax media relations has to be busy, but that’s kind of an important question, don’t you think? Their failure to respond may lead cynics to ponder if Equifax has something to hide.
Not only has Equifax failed to respond to repeated inquiries from this site about that concern, their Twitter team has also ignored DMs on this query. Let’s just chalk that up to yet another incident response FAIL, Equifax.
So as irony meters explode all over this country, Equifax – a firm that lectures people about protecting against identity theft – has already bungled more in its incident response than one could ever imagine. It is not surprising that its stock value plummeted more than 20% since they announced the hack, although there are small signs that it is staring to recover today.
Members of Congress are predictably harrumphing and calling for hearings, while state attorneys general are already gearing up and trying to get more protection for their citizenry. Getting Equifax to clarify that consumers do not waive rights by signing up for free services was an important protection achieved by state attorneys general, but there’s much more that needs to be investigated and addressed.
But since Equifax won’t answer my questions, perhaps some member of Congress will ask them about specific hackers’ claims? Including, perhaps, asking them how many extortion letters/emails they’ve received and whether any of the extortionists have included data samples or evidence of access or intrusion. I mean, who knows? Will we eventually hear from TheDarkOverlord, “Mr. Smith” or other hacking collectives I will leave unnamed for now who have hacked and attempted to extort businesses? Or will we hear that this hack was by a state actor?
Whatever we hear, we’d better hear some better incident response from Equifax if they hope to survive this catastrophic failure on their part.
Update 1: The Senate Committee on Finance included some good questions in their inquiry letter to Equifax. What they didn’t ask was whether Equifax has received any extortion demands or communications from those claiming to be the hacker(s).
Update 2 (Sept. 13): Although Equifax was offering its credit monitoring service for free, it had the chutzpah to try to charge consumers for placing a security freeze on the credit reports. Yesterday, they announced that they would not charge for security freezes and would refund those who had already paid for one.
Update 3 (Sept. 13): And then there was this update on Equifax’s site:
1) Updated information on U.S. website application vulnerability.
Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.