As far as data breaches go, this one was a beauty and happily I don’t need to tell you what happened or how it happened, others already did that for me.
I am not going to write about the inherent flaws with tying your entire financial identity to a social security number that we cannot protect, or even raise any eyebrows about the unprecedented size of the breach.
You are not here to read about how Equifax completely bungled their public response, despite having more than a month to properly prepare for it, nor did you come to read something that you have already read elsewhere.
You came to find out who poured oil onto the fire, you came to find out who is going to get burned and who will be sacrificed to the gods of #netsec.
I don't blame you, it's the only angle in this story that really interested me too, if only because we have all seen this movie so many times before.
What we have not seen before though is the series of unfortunate events that are beginning to act as a catalyst and make this story burn brighter.
Lets start with our first red flag.
Time To Notify
Lets ignore the fact that Equifax knew that they had an obligation to notify their customers in a timely manner if their personal details were exposed.
Equifax first discovered the breach in late May or early July, but waited more than two months to notify their customers, the site they are using to notify others about the breach (equifaxsecurity2017.com) was first registered in August, but the contents of the site were not uploaded until September.
They were not even ready to handle the volume of calls from their customers, shifting them off to a 3rd party call center who could not answer any questions, like ‘has my social security number been stolen in the breach’.
Its also worth noting that if you sign up to their credit monitoring service, the one they are happily giving you for free for one year, you are basically signing away your right to sue them for the damage the breach causes.
Who is responsible for this time to notify and this arbitration notice, both of which were embarrassingly mishandled by whoever that person was.
Selling Off Equity Holdings
Three very senior executives at Equifax, their CFO John Gamble, a divisional President Rodolfo Ploder and Joseph Loughran their President of Information Systems, all sold upto $1.8 Million worth of shares in a sale that was not pre-planned with the SEC, just before the notification came.
Where before all three had Linkedin profiles, not they no longer exist and to make matters worse, all three are on record saying they had no idea about the breach before they sold their shares, despite being so high ranking.
I don't believe for a second that these guys didn't know about the breach, by the time they sold their shares, Equifax knew about the breach for quite some time and there is every indication of insider trading here.
Fire Eye Registering Equihax.com Before The Notification
As if to rub salt into the wounds, Brandan Schondorfer, an employee of Fire Eye publicly registered the Equihax.com before the official notification.
Being that Fire Eye were the cybersecurity team who were supposed to be protecting Equifax, this domain registration is in very bad taste and surprise, surprise, Brandan’s LinkedIn profile is also no longer available.
This is either some very bad #OPSEC or they have been compromised.
Others however have suggested that this is connected to Fire Eye and Equifax efforts to divert from the breach in some way, but that seems like pure speculation to me, even though the data has already appeared for sale.
Equifax Data For Sale On The Darknet
Although we have as yet no real idea of who the culprits behind this attack where, what is suspicious is that almost two months after the attack and just days after the public notification, the data was on sale on the darknet.
We have absolutely no idea of who is behind this, but what is very curious is that the people behind it seem to want to hand the data back to Equifax in return for 600 bitcoins, roughly $2.6 Million at todays rate.
They seem to be responding only to emails from Equifax employees and their stated reason for doing so is because of the Equifax executives who sold $3 million dollars worth of shares using insider trading.
If they don't get their bitcoin, they say they are going to publish the whole database at that domain by September the 15th, so we have to wait and see.
This darknet site raises a whole lot of questions though, why did they not sell the data sooner and why have we not seen the data appear for sale on the darknet markets, or have we seen it and not yet realized it?
There is something very fishy about this whole thing, why are the perpetrators only willing to provide samples of the data they hold to Equifax employees and nobody else? Why not just sell the data on the open market?
These are the immediate red flags that jump out at you right now, I will update this story with any new information as it arises.
What do you think? Let me know in the comments below!
What’s that? You like the cut of my jib? Follow me on Twitter then and give me a CLAP using the clap button, you can clap more than once :)
** Please note that this article is in the public domain, reproduce it.