Back in March, I wrote about the poor Amazon engineer who accidentally brought down a portion of the Internet by removing a larger than expected number of servers from operation in AWS S3. That made for a bad day.
Well it seems that something else happened in March, around the same time. Another engineer at a different company failed to do something, which would cause him to have a bad month a few months later.
We’ve all heard that Equifax got hacked this summer, exposing the most detailed personal information of almost every American (140 million, which is almost every adult who interacts with the financial system in some way). I was personally furious when I heard about it, and some are calling it the most serious hacking incident ever.
It’s debatable, since Yahoo confirmed yesterday that hackers stole the emails and encrypted password of 3 billion accounts 4 years ago. But certainly, getting email addresses is less valuable than credit details and social security numbers.
The other thing about Equifax is that these are not user accounts, but people who have no direct relationship with Equifax. These 140 million people are the product, not the customers.
But we can all agree that Equifax was a huge hack.
Yesterday, the CEO submitted written testimony to congress that says the following.
On March 9, Equifax disseminated the U.S. CERT notification internally by email
requesting that applicable personnel responsible for an Apache Struts installation upgrade their
software. Consistent with Equifax’s patching policy, the Equifax security department required
that patching occur within a 48 hour time period. We now know that the vulnerable version of
Apache Struts within Equifax was not identified or patched in response to the internal March 9
notification to information technology personnel.
Further detail was provided during his testimony.
The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not.
So to Equifax, the breach comes down to an individual who’s job it was to patch systems when notified of security vulnerabilities who did not patch it.
To me, a company that has such precious data (such as a bank or credit reporting agency) should have more robust security processes to ensure a single missed patch doesn’t get overlooked.
And why was it so easy for the “online dispute website” to get access to the full database of consumers and credit info?