This site may earn affiliate commissions from the links on this folio. Terms of use.

449808-generic-security-hacking

The Equifax hack exposed critical personally identifying information on more than 145 million American adults. That'south not all adults by any means, only it'south well over half the adults in the state. At present we know that social security numbers, credit cards (in some cases), full names, and abode addresses aren't the only thing the hackers fabricated off with. They got about xi million driver's licenses, likewise.

That'south the latest from the Wall Street Periodical, which reports that xv.two million client records in United kingdom were also compromised. That may not sound like much compared with the Usa, simply the UK'south population is 65.64 one thousand thousand, which means a significant percentage of the UK was compromised. 700,000 British accounts leaked "sensitive" information as well, though we don't know exactly what that refers to.

Equifax has been admittedly hammered for its awful response to the hack, equally well as the lapses in security that created the situation in the first place. Even after its security was penetrated in March, the visitor failed to apply mission disquisitional patches, leading to the catastrophic alienation. In the wake of the disaster, Equifax has offered gratis credit monitoring services and fired its CEO, CIO, and chief security officeholder.

"In one case again, I would like to extend my most sincere apologies to anyone who has been concerned well-nigh or impacted past this criminal human activity," said Patricio Remon, Equifax'south president for Europe. "Permit me take this opportunity to emphasize that protecting the information of our consumers and clients is ever our acme priority."

The visitor'south old CEO, Richard Smith, told a congressional committee that the breach was the upshot of "both homo error and technology failures."

We disagree. While it'southward true vulnerabilities existed in Apache Struts that the hackers were able to take advantage of, information technology is practically impossible to perform a total security audit of every single piece of software before it ships. Even limited security audits that isolate specific code functions can be backbreaking affairs that drag on for months.

The higher up is not to dismiss the critical importance of testing software earlier release–only an acknowledgment of the fact that software bugs are going to exist and will demand to exist patched post-launch. That'south why so many companies push out security updates on a regular schedule and sometimes respond immediately to critical, zero-day threats. Our existing security model is far from perfect, but it drastically reduces the risk of being attacked if companies stick to regular patch schedules for ordinary security updates and move quickly to apply critical updates when they are released.

If Equifax had been blind-sided by a previously unknown attack vector, nosotros'd hold "technology fault" accounted for a meaningful percentage of the problem. But that'south non the case here–a set up was available and appropriately labeled every bit mission-disquisitional. Equifax simply didn't apply information technology.