Equifax waited 5 weeks to admit it had doxed 44% of America, did nothing to help us while its execs sold stock

From mid-May to July 2017, Equifax exposed the financial and personal identifying information of 143 million Americans — 44% of the country — to hackers, who made off with credit-card details, Social Security Numbers, sensitive credit history data, driver's license numbers, birth dates, addresses, and then, in the five weeks between discovering the breach and disclosing it, the company allowed its top execs to sell millions of dollars' worth of stock in the company, while preparing a visibly defective and ineffective website that provides no useful information to the people whom Equifax has put in grave financial and personal danger through their recklessness.


Equifax is in the business of helping employers and financial institutions punish people for making oversights in their business and financial affairs. Being late with a single payment or missing a single bill can constitute a black mark on your Equifax records that lasts for years or decades, affecting your ability to rent or buy a home or get a job.


By contrast, Equifax expects its stakeholders — whole nations' worth of people — to overlook its gross misconduct. The website the company has stood up (an unpatched stock WordPress installation with a defective TLS certificate) just tells you to come back in a week to get a coupon good for a year's worth of Equifax credit monitoring (without specifically disclosing whether your data was breached). Calling the company's phone hotline connects you to a third-party subcontractor who directs you to the website and provides no details about the breach.

Searching the site for information about your breach subjects you to a clickthrough agreement in which you waive your right to sue the company.

Chief Executive Richard Smith called the breach "disappointing."


Besides the severity and scope of the pilfered data, the Equifax breach also stands out for the way the company has handled the breach once it was discovered. For one thing, it took the Atlanta-based company more than five weeks to disclose the data loss. Even worse, according to Bloomberg News, three Equifax executives were permitted to sell more than $1.8 million worth of stock in the days following the July 29 discovery of the breach. While Equifax officials told the news service the employees hadn't been informed of the breach at the time of the sale, the transaction at a minimum gives the wrong appearance and suggests incident responders didn't move fast enough to contain damage in the days after a potentially catastrophic hack came into focus.

What's more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks.

Why the Equifax breach is very possibly the worst leak of personal info ever
[Dan Goodin/Ars Technica]