Equifax hack

When your credit rating firm gets hacked

Equifax is a consumer credit reporting agency and last week it got hacked. Now the information of 143 milion US citizens, about 45% of the population, has been compromised by hackers. The hackers got access to names, birth dates, addresses but also social sercurity numbers and in some cases drivers license numbers.

This is a really big thing! It got me thinking and I just had to write about it. With this kind of information it is possible to impersonate people at banks, credit card companies, etc and even the government. For example apply for loan, credit card or even a mortgage in your name. And what about your privacy? The hackers even obtained your credit information.

How did this happen?

Well, Equifax was using Apache Struts which contained a vulnerability (CVE-2017-5638). This vulnerability was fixed on March 6. Equifax did not patch the vulnerability for more than two months!

Luckily for me I am not living in the US, but could this also happen to us in the Netherlands? Of course the average credit reporting agency will state that their security is the best of the best and up-to-date. But as the Equifax hack shows, missing out on one security update has some very serious consequences.

How to prevent this?

Companies handling personal information must be strictly regulated. Only information that is really necessary should be stored. Is it necessary to store the social security number? Companies often think it is to identify the person uniquely, but most likely storing a one-way hash of the social security number will be sufficient. This way the social security number can not be reconstructed, but the person can still be identified as a unique person. Another issue is, how long does specific information need to be stored? Information is valuable. Valuable as such that companies make profit selling or using information about you.

Unfortunately there is not a whole lot you can do about this. Information will be stored everywhere. People do not choose to get registered at a credit reporting agency but this are goverments regulations. Eventually it is the task of the government to protect us and our data. In Europe we have the 95/46/EC directive whichs forces EU countries to protect us by law, but the question remains: How safe is our sensitive personal data at all those organizations?

Posts you may also enjoy

Bloomberg release a very detailed report on how Amazon discovered a hardware backdoor the size of a single grain of rice in servers manufactured by Elemental Technologies.

The Netherlands was plagued by numerous DDOS attacks lately. The tax authorities, Bunq bank and many other banks and government agencies. The attacker was careless and left some traces and was even arrogant enough to seek contact with the sysadmin of Tweakers.net, one of the targeted sites.

Recently I was asked to give feedback on a new website. It uses Wordpress, but why? Why not? So I researched a bit and was able to give a well-founded answer. about the risk of having plug-ins installed.

Many years ago, I studied the art of picking locks. Not to do anything illegal, but just to learn about locks and how they work. Most importantly, open locks in a non-destructive way the manufacturer certainly did not intend to open. I bought a lock picking set and a practice lock. Over the years I collected some other locks, formerly used in real life. I finally got a chance to show off my skills.