Trust me, I’m a Company

Trust me, I’m a Company
By Mumin Khan | March 12, 2019

With great economic prosperity comes great consequences. Americans hold the tenants of capitalism and growth closely as a fundamental part of their identity. The rewards America reaps by obsessing about profits are undeniable; America is the single largest economy in the world by a number of metrics. Americans enjoy some of the best wages in the world, have access to the best post secondary education, and enjoy a reasonably high quality of life. Simply earning over $32,400 per year puts you in the top 1% globally; the median income for US households in 2017 was $61,372. This same profit addiction, that has taken Americans to such highs, has also brought them new lows. The legislative climate in the United States has all but guaranteed that corporations can play fast and loose with the lives of consumers and face little to no consequences when things go south. The larger the corporation is, the more they can get away with.

On September 7th, 2017, Equifax, one of the largest American credit bureaus, who collect information on an estimated 820+ million people and 91+ million businesses, disclosed that they were hacked several months before. Over 143 million people had sensitive information, including names, addresses, dates of birth, Social Security numbers, and driver’s license numbers, stolen from Equifax over a period of 76 days. Obtaining some or all of this information would allow a malicious actor to assume someone’s identity for financial gain and wreak havoc on their life.

Pictured above, Revenue of the largest credit bureaus in millions of dollars.

The method of intrusion was a known vulnerability in Apache Struts , a web technology that powered Equifax’s dispute portal. This same vulnerability, dubbed CVE-2017-9805 was found in Equifax’s system by the United States Computer Emergency Readiness Team in March 2017 and disclosed to them. Internally, Equifax circulated the information using an email list of system administrators. Unfortunately, the list was out of date and certain key SA’s did not get the notice to update Struts. To make matters worse, an expired certificate allowed hackers to bypass automatic malicious activity detection software throughout the 76 day breach. Once inside, the hackers found that individual databases were not isolated from one another, this allowed them to access more personal information. During this process, the hackers gained access to a database of unencrypted credentials which then allowed them to query against even more user information. More information can be found in the following GAO Report: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach.

Given the facts of the hack, it’s hard to view Equifax as a victim alongside the 143 million people that had their information stolen. Rather, their systematic failures to protect the private data of users who often don’t have a say as to what Equifax collects on them makes them an accomplice to the hack. Yet nearly two years after the hack was initiated, no charges against a single Equifax employee were filed. No fines were levied on the corporation. No legislative action has been taken to audit and monitor Equifax in the future. In fact, the opposite happened: Congress passed Senate Bill 2155 which shielded Equifax from class action lawsuits.

Senate Banking Committee member Sen. Mike Crapo, R-Idaho questions Wells Fargo Chief Executive Officer John Stumpf, on Capitol Hill in Washington, Tuesday, Sept. 20, 2016, during the committee’s hearing. Stumpf was called before the committee for betraying customers’ trust in a scandal over allegations that employees opened millions of unauthorized accounts to meet aggressive sales targets. (AP Photo/Susan Walsh) ORG XMIT: DCSW129

Pictured above, Representative Mike Crapo, sponsor of S. 2155

Equifax abdicated its responsibility to guard the data that it collects on people. Why aren’t there regulatory requirements on private companies that collect extremely sensitive personal information on American citizens? Where are our institutions that hold these organizations accountable? Someone will always pay for data breaches like this one. As of now, only the American consumer has paid. Until we start guaranteeing each American’s right to the protection of their data, these types of incidents will continue to happen.

Leave a Reply