This site may earn affiliate commissions from the links on this page. Terms of employ.

449808-generic-security-hacking

The Equifax hack exposed disquisitional personally identifying information on more than 145 meg American adults. That's non all adults by any ways, merely it's well over one-half the adults in the country. At present we know that social security numbers, credit cards (in some cases), full names, and home addresses aren't the just thing the hackers made off with. They got near eleven 1000000 driver'due south licenses, too.

That'due south the latest from the Wall Street Journal, which reports that fifteen.2 million customer records in Great britain were also compromised. That may not sound similar much compared with the United States, but the Britain's population is 65.64 million, which ways a meaning percentage of the UK was compromised. 700,000 British accounts leaked "sensitive" information as well, though we don't know exactly what that refers to.

Equifax has been admittedly hammered for its atrocious response to the hack, besides as the lapses in security that created the situation in the showtime place. Fifty-fifty later on its security was penetrated in March, the company failed to apply mission disquisitional patches, leading to the catastrophic breach. In the wake of the disaster, Equifax has offered free credit monitoring services and fired its CEO, CIO, and chief security officer.

"Again, I would like to extend my most sincere apologies to anyone who has been concerned almost or impacted by this criminal deed," said Patricio Remon, Equifax'southward president for Europe. "Let me accept this opportunity to emphasize that protecting the data of our consumers and clients is always our top priority."

The visitor'due south former CEO, Richard Smith, told a congressional committee that the breach was the result of "both human error and engineering science failures."

Nosotros disagree. While information technology'due south true vulnerabilities existed in Apache Struts that the hackers were able to take advantage of, it is practically impossible to perform a full security audit of every single piece of software before information technology ships. Even limited security audits that isolate specific code functions can be arduous affairs that drag on for months.

The above is not to dismiss the disquisitional importance of testing software before release–only an acquittance of the fact that software bugs are going to exist and will need to be patched post-launch. That's why so many companies push out security updates on a regular schedule and sometimes respond immediately to disquisitional, zero-day threats. Our existing security model is far from perfect, but it drastically reduces the gamble of existence attacked if companies stick to regular patch schedules for ordinary security updates and move quickly to utilize critical updates when they are released.

If Equifax had been blind-sided by a previously unknown assault vector, we'd agree "engineering science error" deemed for a meaningful percentage of the trouble. Merely that'due south not the case hither–a ready was available and appropriately labeled as mission-disquisitional. Equifax simply didn't utilize it.