“Put another way – you can’t patch what you don’t know you’re running.”
#Equifax breach software
“It’s fair to conclude that a lack of awareness of precisely what’s in a given software application and its ‘stack’ is part of the problem,” he added.
#Equifax breach code
“I’d love to say that Equifax was a turning point in application security,” said Tim Mackey, technical evangelist at Black Duck by Synopsys, “but the 2018 OSSRA (Open Source Security and Risk Analysis) report showed that of the analyzed code bases containing Apache Struts, a third of them still contained a version vulnerable to the same bug that impacted Equifax. A year later, numerous companies have failed to patch that same bug.
#Equifax breach install
Indeed, that breach happened because the company had failed to install a patch that had been available for two months, for a vulnerability in Apache Struts, a popular open source web software. One sardonic tweet at the time declared that everybody should immediately change their name, date of birth, address, gender and Social Security number.Īnd even though it should surprise nobody that the Identity Theft Resource Center is out with a report this week that says the main impact is on consumers – that besides feeling angry and violated, they feel “fear … worry, anxiety … annoyance, frustration, powerlessness and helplessness” about the risks of identity theft and their finances being looted.įinally, what about the world of data security? There are always ongoing tweaks, but Equifax was not a game changer. And there has been nothing punitive from allegedly outraged government officials.Įven though this was a breach vastly more damaging than compromised credit cards, since those numbers can easily be changed. Meanwhile, Smith “retired” with a $90 million payday. Which is a lot of money at one level, but only 1.4% of the net worth of a $13.8 billion company. The new chief information security officer, Jamil Farshchi, told Wired magazine in July that the company has invested $200 million on data security infrastructure. Yes, there have been lawsuits, charges of insider trading against two top executives, and some in top management besides Smith are no longer there.
Same, apparently, for the Federal Trade Commission (FTC), which said a year ago that it had opened an investigation into the breach (it is highly unusual for the commission to acknowledge an investigation), but there haven’t been any announcements since then.Īn FTC spokesperson, Juliana Gruenwald Henderson, said this week the agency had “no additional comment at this time.”Īnd, as the Atlanta Journal-Constitution (where Equifax is headquartered) noted, “The agency has since named as chief of its consumer protection division a lawyer who has represented Equifax.” The CFPB disputed that, saying the investigation was ongoing, but if it is, there doesn’t appear to be much urgency to it.
By February, there were multiple reports that an investigation of the company by the Consumer Financial Protection Bureau (CFPB) had stalled – it wasn’t doing any of the things that would be expected, such as issuing subpoenas to top management. No government sanctions on Equifax in general, or any of its executives? Check. Can we all say “Cambridge Analytica” or (Supreme Court nominee) “Brett Kavanaugh”? And 145.5 million people will definitely not have each received a $2,000 check from Equifax.” Congress will have moved on to some other outrage. So, I wrote last fall, “Chances are that a year from now, the world of data security will perhaps have been tweaked, but not fundamentally changed. Indeed, Smith told committee members that Equifax considers its customers to be banks and other businesses – not the consumers who are required to hand over their PII (personally identifiable information) if they want to get a loan.Īnd, as has been clear for decades, banks and other businesses tend to have much more sway with government than consumers. Since then, any legislative initiatives have stalled and there have been no government sanctions on the company or its leaders. But it was mostly theater – which is mostly what committee hearings are.
0 kommentar(er)
