Equifax’s Breach Response Is Inadequate, Insecure, and Dangerous krebsonsecurity.com

Brian Krebs:

I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans.

There isn’t a single aspect of Equifax’s response to their catastrophic breach that is not in some way deeply flawed, irresponsible, insecure, flippant, or dangerous. From the poorly-secured website they — or, more likely, Edelman PR — slapped together to the inconsistent and effectively useless safety checker,1 it is, as Krebs put it, a dumpster fire.

Even the FAQs are inadequate. For instance:

Why am I learning about this incident through the media? Why didn’t Equifax notify me directly?

Equifax issued a national press release in order to notify U.S. consumers of this incident and has established a website, www.equifaxsecurity2017.com, where U.S. consumers can receive further information.

That isn’t a response, it’s a dodge. The reason Equifax didn’t notify customers directly is because then the news would have leaked before it was timed for the close of markets on Thursday. One may reasonably argue that this is fair from a PR perspective, but their delayed response clearly puts shareholders above consumer protection.

Krebs provides some useful advice, too:

First off, all consumers have the legal right to instant access to their credit report via the Web site, annualcreditreport.com. This site, mandated by Congress, gives consumers the right to one free credit report from each of the three major bureaus (Equifax, Trans Union and Experian) every year.

Second, all consumers have a right to request that the bureaus “freeze” their credit files, which bars potential creditors or anyone else from viewing your credit history or credit file unless you thaw the freeze (temporarily or permanently).

But — and you’re not going to believe this — even Equifax’s credit freezing is flawed.

Tony Webster:

OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you’d get PIN 0908171415.

… I got mine a decade ago and now that I see it, it followed the same format back in 2007

A series of digits that exactly correspond with the time the freeze was implemented is not a personal identification number. While the average person is notoriously poor at picking passwords, there should at least be something more unique and secure than the date and time the credit freeze was requested.

  1. I have no idea what’s going on with that checker. The surname field doesn’t appear to be used — I tried with the last name “Butthead”, because I am an adult, and “123456” as the six SSN digits, and was notified that “my” information may have been compromised. ↥︎