Custom Search

September 08, 2017

Equifax's data breach just keeps getting worse!

As if it is not bad enough that Equifax exposed 143 million Americans to the hellacious ordeal of identity theft, now its becoming crystal clear just how inept their response to the data breach was.

For instance, the website ARS Technica (www.arstechnica.com) reported the following:

"What's more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

Another indications of sloppiness: a username for administering the site has been left in a page that was hosted here. ... That by itself wouldn't allow for unauthorized access, but it's still something that should never have happened.

Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks."

So Equifax's attempt to "fix" the damage done by its data breach doesn't just take away the rights of consumers to get justice for the damage caused by Equifax's negligence, it now opens those victims up to more potential privacy problems by using a website with obvious security holes to collect the names and Social Security numbers of the victims.  Sheeeeesh!

Equifax's unwillingness to investigate consumer disputes properly is starting to look like the lesser of their sins.

No comments:

Post a Comment