Equifax and the f**k up of 2017 If you haven’t been playing close attention to the information security news recently, Equifax, the defacto credit-check company of the United States lost all their “customer” data to an attacker. I put customer in air quotes (you couldn’t see me make those, but I did), because most of those people didn’t realise Equifax was recording their data. They were provided to Equifax through a massive network of consumer-facing companies that want to verify that a purchaser can keep up with their credit payments. Credit cards are an obvious one, but store credit is a common purchasing method in the US, or even when you opt to pay for car insurance premiums monthly instead of annually you are actually taking a credit arrangement with the insurer. They do a credit check and some of the information they collect on you is shared with Equifax. Except that data was leaked. Ooops. Now the biggest surprise to me is that people that it was leaked. This happens every other month, some large company has millions of customer records snuck out the back door. still seem shocked The reasons are clear if you watch the first 20 minutes of the the Select Committee hearing with the Former-CEO. He doesn’t understand a thing about data security, , there would be a deeply technical discussion on the in’s and out’s of that fraudulent process and impact. Not even the committee really understand what a patch is, whether it was relevant and nobody pauses the hearing to ask why their was even exposed on the Internet? OR why the data wasn’t encrypted properly at rest. if this was a hearing on, say tax fraud internal system running Apache Struts In this world where most organisations are totally clueless to the operation, security and safety of the data they hold about their customers, its is of no surprise that it gets walked out of the door by any reasonably determined attacker. They offload the problem to an under-funded, under-resourced “security team” whose job it is to hopefully make sure this doesn’t happen to them and cause their share price to halve overnight. Well, this approach is clearly not working Equifax are being because they got caught in a position of negligence. pointed at as the class dunce only The global citizen database of the dark web Tracking some of the , the pattern is clear. They are getting larger, and exposing more and more private data. Yahoo’s breach, the LinkedIn . biggest data breaches of the 21st century 3 billion customer record 167 million record breach My email account has been hit in 6 seperate breaches, my [old]password included since none of these organisations seem to be able to properly encrypt private data. I don’t care about passwords so much, using a simple password manager you can avoid having the same password for every website. I do care about the other private data. I don’t change my address every 90 days.. or my mother’s maiden name. That hasn’t changed. But what about all the other questions I get asked in online systems or over the phone. I apply for a credit card, it asks about my employer, my salary, my bonus structure, how long I’ve been at the company. Another application for car insurance- how and where I use the vehicle. Waze tracks where I am, where I go. All that data is valuable to those organisations. More data was than the previous 5,000 years of humanity. In 2017, we will create even more data in one year alone. created in the last two years In the age where data is becoming most valuable resource why does nobody think twice about handing it over? Everything about you will eventually be breached. If your private data is freely being sold and shared within data-driven organisations, and a percentage (let’s say 10% of them) get breached, then with a broad enough network, all the information eventually becomes public. If all my data is public, what then? Taking all this ever-increasing breached data, a illicit data miner could start to build up a mirrored database of all leaked information across the world. Everything about you and anyone that every interacted with a digital record system. Taking LinkedIn, Yahoo, Equifax, or even AdultFriendFinder, I can find out who you are, where you work, how much you get paid, who you date (and who you’re married to), your sexual interests, your reliability, your location, patterns, your character. If all information eventually becomes public then there is no longer such a thing as data privacy.
