Lorenzo Franceschi-Bicchierai, Vice:
Late last year, a security researcher started looking into some of the servers and websites that Equifax had on the internet. In just a few hours, after scanning the company’s public-facing infrastructure, the researcher couldn’t believe what they had found. One particular website allowed them to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence, the researcher told Motherboard.
The site looked like a portal made only for employees, but was completely exposed to anyone on the internet. It displayed several search fields, and anyone — with no authentication whatsoever — could force the site to display the personal data of Equifax’s customers, according to the researcher. Motherboard saw multiple sets of the data they were able to access.
I know I shouldn’t be surprised at Equifax’s carelessness. I know that after the exposure of the Social Security Numbers of practically every American with a credit card or a loan, after the company allowed three executives to sell shares in the days after the breach was discovered, after the company took six weeks to notify consumers, after failing to responsibly respond to their breach, after launching a botched self-check service, after promoting their insecure credit freezing service, after sending some people to the wrong website, and after the company allowed its CEO to retire with a full compensation package, that I should not be surprised when it comes to their unique ability to be completely hopeless with information security or corporate responsibility.
And yet, every week seems to bring a new chapter in this saga — a new example of how Equifax has managed to fuck this up at a truly catastrophic level. For at least six months, Equifax knew that they had a freely-accessible search engine for the personal details of millions of Americans. And they did nothing.
Equifax’s stock price is up today, and is trading at about $17 per share — or about 18% — higher than the day the company announced that they had been breached.