The Breach

The Equifax breach occurred May 2017. Throughout a 76-day period throughout May into July, many unnoticed queries were made collecting information from the Equifax database. In September, Equifax notified customers of the breach, a total of 6 weeks after the breach was originally discovered. By March 2018, 148 million were confirmed affected by the breach. The breach of security released information that could result in identity theft if abused, including credit cards, driver’s license, social security numbers, dates of birth, phone numbers, and email addresses. The Equifax breach calls into discussion the importance of responsible disclosure. Due to the information being leaked relating to a consequence as serious of identity theft, Equifax failed to inform the public of the incident in a timely manner in order for the effected party to respond accordingly to anticipate any consequences. Furthermore, the breach brought into light the question of the amount of responsibility a company must take for their security or lack thereof.

The Tech

The breach itself was 9,000 queries, unnoticed due to outdated security measures. Hackers stumbled upon a database that contained unencrypted credentials that they then used when accessing internal databases. The network-data inspection system, the software that would have caught such breaches, was down for 10 months before staff noticed in time. The flaw specifically was found in Equifax’s Apache Struts software. The Apache Software Foundation claimed to have sent out an update to patch the hole in March, a day after the bug was discovered. Contrary, Equifax claims to have discovered the hole July 29th and acted immediately to fix the issue. There were additional weaknesses found by grey hat hackers, such as cross-site scripting, the basis behind phishing attacks. They also discovered the Equifax’s foundation were combinations of Netscape, IBM WebSphere, and Java that was a decade old. In all, experts say that Equifax’s ignorant security protocol ultimately caused the breach, affecting millions of people.

The Fallout

Due to the extended period that Equifax took to react to the situation, and moreover the time it took to tell the public of the breach, millions of people lost the chance to jump on protective measures to prevent identity theft. Equifax failed the customers who trusted them with important personal information. How should have Equifax reacted to the breach? How responsible are companies for updating their security measures? Who is at fault? Let me know your thoughts in the comments down below.