The Equifax Hack and How to Protect Your Family — All Explained in 5 Minutes

In September 2017, Equifax announced it had experienced one of the worst data breaches in history. Cyber criminals stole highly sensitive personal information, including Social Security numbers, birth dates, addresses, and drivers license numbers, for a staggering 143 million Americans, 44 million British citizens, and an unknown number of Canadians. If you have a credit report, your data was likely compromised in this breach.

The scale of this breach was unprecedented. As one of the three major U.S. credit bureaus, Equifax maintains credit files on virtually every adult in the country. The stolen data provides more than enough information for criminals to open new lines of credit, file fraudulent tax returns, and even obtain official government-issued IDs under your identity.

Unfortunately, identity theft was already a widespread problem even before this breach. A study by Javelin Strategy & Research found that 16.7 million Americans experienced identity fraud in 2017, resulting in $16.8 billion in losses. The Equifax hack has opened the floodgates by putting the most sensitive data of half the U.S. population into the hands of criminals.

How the Breach Happened

From a technical standpoint, the Equifax breach was entirely preventable. The entry point for the hackers was a vulnerability in the Apache Struts web-application software, which is a framework used by many large enterprises, including Equifax, to build Java applications.

The vulnerability, identified as CVE-2017-5638, was disclosed and patched by Apache in March 2017. However, Equifax failed to apply this critical security update to its online dispute portal, which used the Apache Struts framework. This allowed hackers to remotely execute code on Equifax‘s servers and gain privileged access to backend databases containing millions of consumer records.

Equifax‘s use of out-of-date and insecure software was an inexcusable lapse in basic security hygiene for an organization entrusted with so much sensitive data. As a full-stack developer, it‘s drilled into you to always keep your software dependencies up-to-date and to apply security patches immediately. Equifax had no excuse for running an unpatched system months after a critical fix was available.

But the company‘s woes go much deeper than an unpatched server. Equifax has a long history of underinvesting in technology infrastructure and lobbying against stronger consumer privacy protections. According to the New York Times, Equifax‘s IT department had a mere $85 million budget to maintain a patchwork of over 1,000 databases used to manage so much highly sensitive consumer data.

Criticism of Equifax‘s Response

The credit bureau‘s response to the data breach has drawn widespread criticism. It took Equifax over a month to disclose the breach publicly. In the meantime, three senior executives, including the Chief Financial Officer, cashed out $2 million worth of stock in the company, raising suspicions of insider trading.

When the company finally did come clean, they botched the response in numerous ways, such as:

• Setting up an insecure site for consumers to check if they were affected that gave out seemingly random results and was vulnerable to hacking itself.
• Initially forcing consumers to agree to arbitration and waive their right to class-action lawsuits in order to get free credit monitoring, before backing down amid public outrage.
• Assigning PIN numbers to security freeze requests that were just timestamps of when the freezes were placed.

Perhaps most egregious was that Equifax tried to spin the data breach as a sales opportunity by initially offering consumers a paid credit monitoring service, before pivoting to a free one-year offer after backlash.

Regulatory Fallout and Policy Solutions

The Equifax hack has highlighted the need for much stronger consumer data protections and regulations governing credit bureaus. These companies are entrusted as the gatekeepers to our most sensitive financial data, yet are incentivized to collect and sell as much of it as possible to marketers and lenders.

As quasi-monopolies, they face minimal competition and oversight. In 2012, the Consumer Financial Protection Bureau gained authority to regulate credit bureaus after the Dodd-Frank Act, but the Trump Administration has worked to weaken the agency.

Key reforms that policymakers are now considering include:

• Establishing baseline federal data security standards and breach notification requirements for credit bureaus and data brokers.
• Restricting the use of credit reports and scores for non-credit decisions like employment.
• Making it easier for consumers to access their credit information and correct errors.
• Reforming the dispute process to shift the burden of proof onto credit bureaus for demonstrating the accuracy of information.
• Giving the CFPB supervisory authority to examine credit bureaus for compliance.

At a more fundamental level, the Equifax breach has called into question the entire premise of using inherently sensitive data like Social Security numbers and knowledge-based authentication for identity verification. A SSN is a skeleton key to your financial and online life, yet it‘s shockingly easy for criminals to steal with just a few other personal details.

Technological Solutions

As a full-stack developer, it‘s clear to me that we need to move to more secure methods of authentication and identity verification that don‘t rely on static personal data. Some promising technological solutions include:

• Multi-factor authentication that combines something you know (password), something you have (phone or hardware token), and something you are (biometrics).
• Zero-knowledge proofs that allow you to prove you know something without revealing the underlying information. This could be used to verify identity or creditworthiness without exposing sensitive data.
• Decentralized identifiers and verifiable credentials that give individuals control over their identity attributes and the ability to selectively disclose them. This is the vision behind efforts like self-sovereign identity.
• Secure multi-party computation that enables multiple entities to jointly compute a function over their inputs while keeping those inputs private. This could power privacy-preserving credit scoring.
• Homomorphic encryption that allows computations to be performed on encrypted data without decrypting it first. This could enable new forms of secure data aggregation and analysis.

These are just a few examples of the types of cutting-edge cryptographic techniques that could form the building blocks of a more secure and privacy-preserving identity layer for the Internet. But getting there will require a coordinated effort between technologists, policymakers, and industry to re-imagine our current broken system.

What You Can Do To Protect Yourself

As a consumer, there are several steps you can take right now to safeguard your identity in the wake of the Equifax breach:

1. Check your credit reports. You are entitled to a free credit report from each bureau once a year at AnnualCreditReport.com. Request and review your reports for any suspicious activity.

2. Freeze your credit. Contact each of the three major credit bureaus to put a security freeze on your credit file. This prevents new accounts from being opened in your name, even if a criminal has your personal information. You‘ll have to temporarily lift the freeze if you need to apply for credit yourself.

3. Sign up for a credit monitoring service. These services, many of which are now offered for free in the wake of the Equifax breach, will alert you to suspicious activity involving your credit file so you can act quickly to halt fraud.

4. File your taxes early. Tax-related identity theft is a common scam where criminals use your Social Security number to file a fraudulent tax return and claim your refund. Beat them to the punch by filing as soon as you have all the necessary documents.

5. Be vigilant about phishing attempts. With so much personal data exposed, you may see an uptick in emails and calls claiming to be from your bank or the IRS that reference your personal details. Don‘t fall for it. Legitimate organizations will never ask for sensitive data like account numbers over email or phone.

6. Use strong, unique passwords. The Equifax breach is a reminder of the importance of good password hygiene. Never reuse passwords across multiple accounts, and consider using a password manager to generate and store strong, unique passwords for each service you use.

Lessons for Developers

As developers entrusted with safeguarding user data, there are several best practices we should all be following to prevent breaches like Equifax from happening on our watch:

1. Keep software dependencies up-to-date. The Equifax breach resulted from a failure to patch a known vulnerability in a widely used open source library. Set up automated alerts for new security fixes in your dependencies and have a process to promptly test and deploy patches.

2. Secure your software supply chain. Use dependency management tools to ensure the integrity of third-party libraries, and consider maintainer reputation when choosing open source components. Vet your suppliers‘ security practices as well.

3. Follow the principle of least privilege. Ensure that application components and user accounts only have access to the specific resources and data they need to perform their intended functions. Segment your network to limit the blast radius of a breach.

4. Encrypt data at rest and in transit. Any sensitive user data should be encrypted when stored and while being transmitted over the network. Use industry-standard encryption algorithms and keep encryption keys secure.

5. Hash and salt passwords. Never store passwords in plaintext. Use a secure hashing algorithm like bcrypt, scrypt, or PBKDF2 to hash passwords with a per-user random salt before storing them. This makes it much harder for attackers to crack passwords if the database is breached.

6. Use prepared statements to prevent SQL injection. Sanitize and validate all user inputs to prevent common web application vulnerabilities like SQL injection and cross-site scripting (XSS). Parameterized queries or prepared statements make it harder to sneak malicious inputs into application logic.

7. Implement proper access controls. Use a well-vetted authentication and authorization framework to ensure only legitimate users can access sensitive resources and functionality. Regularly audit permissions to maintain the principle of least privilege.

8. Monitor for anomalous behavior. Invest in tools to detect and alert on suspicious activity like multiple failed login attempts, large data transfers, or unusual access patterns. Catching breaches early can limit the damage.

While we may never be able to completely prevent determined attackers, adhering to these security best practices can significantly reduce the risk and impact of data breaches. And by adopting cutting-edge cryptographic techniques, we can build a more resilient and decentralized identity infrastructure for the future.

But in the meantime, the onus is on each of us as developers to treat the security of the user data entrusted to us as sacrosanct. The Equifax breach is a stark reminder of what can happen when that responsibility is neglected at mass scale. Let‘s learn from their mistakes and commit to building a more secure digital world for everyone.