Equifax hack leaves millions unsafe
Volume IX Issue 2
Published November 2017
A recent cyberattack on Equifax left a large portion of the population questioning the security of online data storage and the private information of half of America’s population exposed.
​
The recent hack against the massive credit-information storing company was discovered on July 29. The consequences of the attack are still unfolding, but current estimates suggest that around 145 million people were affected by the security breach.
​
In a public statement, Equifax said, “The information accessed primarily includes names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license numbers. In addition, credit card numbers […] and certain dispute documents with personal identifying information […] were accessed.”
​
Using the compromised Social Security numbers, the hackers are able impersonate affected individuals and amass debt under the stolen name. Because of the debt, the afflicted individual can appear fiscally irresponsible and develop a reputation of having unsettled debts — bad credit. With bad credit, loans on housing, vehicles, medical care, college tuition, and other major purchases will be given reluctantly and at higher interest rates.
​
While freezing or locking an account prevents it from being accessed, with 145 million Social Security numbers stolen from Equifax, these services are overwhelmed by the surplus in requests to freeze and lock various accounts.
​
Shortly after the company announced the attack on Sept. 7, Richard F. Smith, Equifax’s chief executive, retired. Despite his departure, Smith was the sole representative from Equifax to testify at the congressional hearings in early October, where he pointed to a single individual as the cause for Equifax’s vulnerability.
​
According to the New York Times, Smith said, “An individual did not ensure communication got to the right person to manually patch the application.”
​
Many target technology for cybersecurity failures, but for most successful hacks, the key is human error and is usually the consequence of negligence or ignorance. The Equifax hack is no different; the technological failure, although enabling the attack, was not the reason for the hackers’ success.
​
Apache Struts, the software toolkit used by Equifax to process consumer complaint messages, discovered a vulnerability in its structure that allowed for unwanted parameters to be passed into the server, parameters which include the malicious code — a virus — that gave hackers access to Equifax’s database. When the Apache Software Foundation found the bug in March, an update was released to patch the software.
​
According to the documentation of the patch, the old parameter-checking method did not properly exclude all unwanted code-patterns. However, the March update added two interfaces — acting as a whitelist and a blacklist — to safeguard against the insertion of viral code. Unfortunately, an Equifax employee did not dutifully patch the code, enabling the hack to occur two months after the Apache Struts update was released.
​
“It was a human error kind of thing,” said Luke Adams, a junior, “They found the bug in March and had two months to correct it — and there were probably guidelines to avoid this, but even then, the company became relaxed with security at the personal level. It wouldn’t have been hacked if everyone followed security guidelines.”
​
If it weren’t for human error, major cyberattacks would be non-existent, but with the nature of human error being unpredictable, broad preventative measures are limited by individuals’ security efforts.
​
Recently, another exploitable flaw in cybersecurity was found, Key Reinstallation Attack (KRACK), that targets Wi-Fi communicating processes.
​
Mathy Vanhoef, a researcher in computer security at KU Leuven in Belgium who discovered the flaw, said, “The attack works against all modern protected Wi-Fi networks. The weaknesses are in the Wi-Fi standard itself. Therefore, any correct implementation of WPA2 is likely affected.”
With every Wi-Fi network at risk, the WPA2 flaw threatens much more secured data than the Apache Struts bug.
​
Sophomore Vernon Luk said, “The vulnerability is in the process of how Wi-Fi communication works; it’s not human error, it’s part of the technology in this case.”
​
However, patches for the bug have already come out from Windows, Google, Intel, and other software companies. Unlike with Equifax, the WPA2 issue was addressed as soon as it was discovered, preventing any major cybersecurity breaches.
​
“Patches are already out for many software systems, so people should download them. Once all the patches are out and people have downloaded them, it should be safe,” said Luk.
​
Being up to date with security and wary of potential cybersecurity threats has become increasingly necessary as more and more personal information is being stored online.
​
“Vulnerabilities are more common than you think,” said Luk. “All it takes for valuable information to be compromised is one weak link.”
​
Even if the majority of people can’t directly address any technological flaws themselves, leaving important information open to hackers is still avoidable with basic precautions.
​
“Over 95 percent of hacks are preventable. If you leave data vulnerable, there are a lot of hackers that would love to get their hands on that information, but this can be prevented by taking a few simple steps[to secure their information],” said Adams.
​
Updating security patches, avoiding untrustworthy emails and websites, and ensuring that any information given out is going to the right place are all basic methods to avoid human error and defend against cybersecurity hacks.
​
“The reason why hacking is an issue is that the vast majority of Americans using the internet aren’t taking any precautions; people are not taking cybersecurity threats as a serious issue,” said Adams.