China's To Blame For The Equifax Hack. But It Shouldn't Let Equifax, Or US Regulators, Off The Hook.
from the plenty-of-blame-to-go-around dept
The Department of Justice this morning formally announced that it has identified the Chinese government as the culprit behind the historic Equifax hack. If you've forgotten, the 2017 hack involved hackers making off with the personal financial data of more than 147 million Americans. Those victims were then forced to stumble through an embarrassing FTC settlement that promised them all manner of financial compensation that mysteriously evaporated once they went to collect it.
According to the FTC's press release and the indictment (pdf), the four Chinese government employees responsible for the hack were all members of the People’s Liberation Army's 54th Research Institute, an extension of the Chinese military. The four exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal to first gain access to Equifax's systems, then ran more than 9,000 queries before managing to offload both consumer financial data and "proprietary Equifax info" (mostly related to databases) to a Dutch server.
In a statement, Equifax was happy to see the onus shifted entirely onto the backs of the Chinese:
"Cybercrime is one of the greatest threats facing our nation today, and it is an ongoing battle that every company will continue to face as attackers grow more sophisticated. Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult. Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced firsthand."
That rhetoric was mirrored in the DOJ's announcement and Bill Barr's speech, which repeatedly framed the entire Equifax saga as largely a victory for U.S. national security:
"The size and scope of this investigation — affecting nearly half of the U.S. population, demonstrates the importance of the FBI’s mission and our enduring partnerships with the Justice Department and the U.S. Attorney’s Office. This is not the end of our investigation; to all who seek to disrupt the safety, security and confidence of the global citizenry in this digitally connected world, this is a day of reckoning."
Except there are a few things both Equifax and Bill Barr forget to mention. One, the vulnerability that allowed the hackers to gain access to this data was known about by Equifax months before the attack and the company did nothing about it. Two, that this data wouldn't be available to steal if companies like Equifax hadn't made an industry out of collecting this sort of data -- without consumer consent and with no way for consumers to opt out -- in the process creating such a delicious target. A target they then failed to adequately secure and protect.
So yes, while it's certainly great we've identified the hackers (who'll never see the inside of a jail cell), this entire mess could have been avoided.
A few lawmakers, like Senator Mark Warner, were quick to applaud the investigation while highlighting how it shouldn't distract from Equifax's failures:
"The indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack,” Senator Mark Warner said in a statement provided to Motherboard. “A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care – and face any consequences that arise from that failure."
Another thing neither Equifax or Bill Barr likely want to highlight is that the penalty for Equifax -- and the FTC settlement for consumers -- was little more than a cruel joke. While the $575 million FTC settlement was bandied about for being a "record" deal, like most hack/breaches, the final penalty was a far cry from the money made from collecting and selling access to this data for decades. And the consumer "compensation" aspect of the deal involved both useless "free" credit reporting software and $125 cash payouts that mysteriously disappeared when victims went to collect them, adding insult to injury.
A lack of any meaningful US privacy law for the internet era means there's repeatedly no real punishment for companies that fail to secure the vast troves of data they're now collecting on your every waking moment. Nor is there any real compensation for consumers who may not have wanted this data collected, stored, and sold to every nitwit with a nickel. There are so many points of failure here -- from corporations that treat privacy and security as an afterthought to captured regulators too feckless to do anything about it -- that focusing too extensively on national security risks us learning absolutely nothing from the experience.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: china, cybersecurity, data breach, doj, security, william barr
Companies: equifax
Reader Comments
Subscribe: RSS
View by: Time | Thread
As a creditor to the U.S., China just wanted to verify people were trying to pay their debts.
/s
[ link to this | view in thread ]
Karl, copying is not theft!
[ link to this | view in thread ]
"a victory for U.S. national security"
We have secured the doors on the barn that burned 24 months ago.
These doors are very secure to keep out the nationstate hackers, even if the access is still admin 12345.
This is BS.
This company screwed tons of people & got off with hardly a wrist slap, while the victims will end up spending untold thousands to try to undo the damage & then the added bonus of paying to get the records these assholes keep corrected to remove the errors they help open the door to.
[ link to this | view in thread ]
Now that we know who they are, we could mail them a picture of the inside of a jail cell. If you want to be thorough, we could post the picture alongside every article listing their names, so that if they ever search the Internet for their own names, they'll be likely to find it and see it.
Of course, they'll probably never search for their own names. They're too busy searching to see which of the stolen identities will be most lucrative.
[ link to this | view in thread ]
The ongoing, daily Equifax hack is not a mystery to people who understand the issue.
[ link to this | view in thread ]
Not long ago..
It was Supposed to be illegal to use the Social security number for anything Except certain uses.
And the credit corps ran over this with a Fully laden Dump truck.
Then there is a strange thought of 3 corps doing this for years, and only 1 gets hit?
575 million divided by 147 million...~ $4..WOW, what a return on a failure. No wonder international corps love the USA. How many other nations would be this nice?? In the past, China has Chopped Corporate heads off..REALLY.
Wasnt it about that same time that Sony, had the servers in Brazil HIT HARD?? Terabytes of data?? And no one is saying anything about that.. And how it had to take Days to Download that amount of data, and no one caught it.
Automated system Monitoring is FRICKING STUPID.. When it dont monitor that someone is online an extended time, and Downloading a HUGE amount of data. what are the Odds that these corps software worked to give a warning, but there was NO ONE THERE to see the warnings?? Lets cut corners.. we dont need Enough people to do that job, its boring. Lets cut it down 98%. We dont have to pay Top dollar for this job they can do it remote from home, in their spare time, at 1/4 the wage.
Anyone want this job? Sysop or admin and Corp policy kills the wages and work hours..??
[ link to this | view in thread ]
What should happen is...
The employees at Equifax that were responsible for the lack of security should probbly be included in the charges as accomplices.
They, as indicated above, are actually complicit. The "Hack" could not have happend or been as sucessful, or gone undetected for so long if they were not.
[ link to this | view in thread ]
Re: Not long ago..
It's not just credit corporations. Try getting any kind of insurance without surrendering your SSN.
[ link to this | view in thread ]
I'll wait for corroboration from a credible source...
[ link to this | view in thread ]
Re: What should happen is...
Those employees might have told management and/or executives about the vulnerabilities but were ignored because fixing the problems would cost money. They could have tried going whistleblower, but given the slap on the wrist Equifax got that probably wouldn't have gone well for them.
[ link to this | view in thread ]
Sure fire way to stop this
Start holding c-level execs criminally liable for inaction and watch how quickly these problems get cleaned up.
[ link to this | view in thread ]
Re: Sure fire way to stop this
Look up LLC corps...
Limited liability.. They cant be held responsible, because SOMEONE Let Major corps have this.
[ link to this | view in thread ]
Re: Not long ago..
Privacy is impossible to protect at scale.
[ link to this | view in thread ]
Re: Re: What should happen is...
Sorry to have to be explicit here.
I’m referring to the ASS HATS that made the decisions to leave vulnerabilities in place not the grunts that carry out their bidding.
But thanks for pointing out my lackadaisical effort at concise communication in this instance.
[ link to this | view in thread ]
Re: Re: Re: What should happen is...
Oops, sorry.
[ link to this | view in thread ]
Re: Re: Re: Re: What should happen is...
It’s cool, plus I got to post about the Ass Hats at Equifax, again.
[ link to this | view in thread ]
Re:
It's for comments like these we need a "sad but truer than we'd like" button...
[ link to this | view in thread ]
Re:
"This company screwed tons of people & got off with hardly a wrist slap..."
The same way AIG and a number of banks made it a business to lend fity times more money than they had assets to cover back in 2008, almost sinking the US economy completely as a result.
If the industry and business model is considered too big to fail, the wrist slap is all that's on the table. There's plenty of reasons why US politicians should be very very cautious about frightening too many cornerstones in the jenga tower of the fiscal system.
[ link to this | view in thread ]
Re: Not long ago..
"Anyone want this job? Sysop or admin and Corp policy kills the wages and work hours..??"
Not unless we can include the Abigail Oath in the official job description and plan.
[ link to this | view in thread ]
Re: What should happen is...
"The employees at Equifax that were responsible for the lack of security should probbly be included in the charges as accomplices. "
Those responsible for security probably told management, time and time again that the system wasn't secure and all the risks inherent.
And then they were ignored.
Or worse still, there were no such employees in the first place and equifax relied exclusively on the default security of a pre-canned database setup bought from the lowest bidder, with outsourced "tech support" whose access to the system was restricted to resetting lost passwords.
[ link to this | view in thread ]
On the other hand
Assuming the China is really behind this, confirmation would be nice.
Which is worse, China getting this data or Organized Crime getting the data?
I condemn this like most of us. However, is China really interested in robbing our bank accounts, or ruining our lives if we don't pay up. Organized Crime is.
I agree that severe punishment for C-level's will help solve this, but I rest a little less uneasy hoping that ONLY China was behind this.
[ link to this | view in thread ]
Payback is a batch job.
Remember this? "NSA hackz all the Huawei routerz with impunity."
As usual, guess who started this fight(the USA-ul suspects)
And really, I mean-you cant blame the PLA for the actions of a few "individuals" whose credit scores could impact China's national security, cuz, that's a conspiracy theorysort of like the way the University of Minnesota framed Richard Liu as a rapist.
Even with proof of innocence, the fakerape conspiracy theorists are still dragging that story through the rumor mills.
http://www.startribune.com/chinese-billionaire-richard-liu-will-not-be-charged-with-rape-says -hennepin-county-attorney/503341712/
[ link to this | view in thread ]
Re:
Its not so much that the PLA will steal identities the bigger concern is the espionage and blackmail that can result.
[ link to this | view in thread ]
Re: Re:
Cyber terrorism including and al qaeda or similar attacks are the problem.
[ link to this | view in thread ]
Re: Re: Re:um, nope
The Threat Assessment Industry and mouthpieces for organized criminals who work in the security industry (like ATAP) and then, Law Enforcement Intelligence Units, and Infragard, augmented by community policing is behind most/all of the so-called domestic terrorism, and that Is IS was a western intelligence agency creation is more fact than fiction.
Al Qeada had almost no serious cyber threat capacity.
[ link to this | view in thread ]
Re: Re:espionage and blackmail
Too late to worry about that, as so much of this went on already, between 2001-today, as NSA/Mi5-6/Etalphabet was doing the exact same thing, but primarily spying on US/FVEYs citizens,
You know, cuz, totalitarianism is somehow what the "other guys" do, right?
China, if anything, is aware that it is just keeping up with the Joneses in this regards, and being rather polite about it I think.
The real threat actors are/ is the dual loyalty of US and Israeli private contractors, with a foot inside and outside of agencies, and fed by the NSA-FVEY whole capture pipeline, and acting on one hand as advisors/tech providers to both US and Chinese military, and on the other with an uncertain endgame.
But without a doubt, blackmail and compromise operations are rampant no matter where you look.
[ link to this | view in thread ]