This site may earn affiliate commissions from the links on this page. Terms of use.

449808-generic-security-hacking

Last calendar week, a massive hack of the credit bureau Equifax stole critical personally identifiable information (PII) on 143 million United states of america citizens. The company'southward response to the incident has been strongly criticized, and at present we know the incompetence isn't limited to the customer-facing sections of the company. The flaws that allowed hackers to penetrate Equifax and steal its client information were patched several months agone.

The flaw in question is inside Apache Struts and is identified CVE-2017-5638. It'due south described as a flaw in file upload handling, which "allows remote attackers to execute capricious commands via a #cmd= string in a crafted Content-Type HTTP header, every bit exploited in the wild in March 2017."

This flaw was fixed on March 6, 2017. It was already nether heavy attack by March 9 and Ars Technica reports it was nevertheless being exploited on March 11. Equifax was penetrated in mid-May, meaning the company waited more than two months to utilize mission-critical patches that were ranked at the highest degree of severity and reported in multiple security publications and notices. This isn't some minor issue that got swept under the rug by a vendor and happened to seize with teeth a visitor. It's a farther sit-in of lax security practices and incompetence at a company that contains more critical personal data on US citizens than likely any other.

At that place's a reason I say that. It'southward true that access to a Facebook business relationship might tell you lot much more well-nigh a person than their credit history, just a person's Facebook profile doesn't contain data that governs their unabridged modern life. If I know your social security number, address, and date of nascence, I know far more than I need to know to steal your identity. Your driver license number (some of these leaked equally well) is icing on the block.

Thanks to Equifax, everyone's data is out there forever, in one handy and user-friendly file breach. That matters, too, because most thieves aren't interested in trying to assemble enough information on whatsoever single person to accept their information (unless you've got a lot of determined enemies, anyway). But sell them that information in an all-in-one bundle, and hey, people volition employ it.

The FTC is Investigating

The FTC has announced that it'south looking into the hack and may open an investigation into Equifax. "The FTC typically does not annotate on ongoing investigations," spokesman Peter Kaplan told Reuters. "However, in light of the intense public interest and the potential impact of this affair, I tin can ostend that FTC staff is investigating the Equifax information breach."

There's no word notwithstanding on what activity the FTC might take, or what the penalties could be for Equifax'due south cataclysmic losses. Given that the most of the United states of america adult population is now at permanent increased take chances for information theft or account hijacking, the usual "placate them with an identity monitoring service" shtick isn't going to cut it. Equifax has taken heavy burn in contempo days for multiple aspects of their response, and that's not going to stop whatsoever fourth dimension presently.

Now read: xx Best Privacy Tips