Last week the credit reporting company Equifax was hacked in what is reportedly one of the largest leaks of personal information to date. More than 143 million accounts were compromised, which in some cases meant that users’ names, birth dates, social security numbers, addresses and drivers license numbers were obtained by the hackers.
The hack exploited a vulnerability on the Equifax website. The company found out about it in July and quickly worked to correct it, but not before the massive haul of user data had been extracted. The company is instructing users to visit a website that it created in order to see if their information was among the compromised accounts. But to run this check users are asked to check a box that surrenders their right to sue Equifax for negligence.
While this is often a standard procedure for companies that have been hacked, cybersecurity and technology policy expert Pablo Molina, DLS, Drexel’s chief information security officer, suggests that Equifax could be doing a better job to help its customers.
What is a website vulnerability and how might someone notice that a website they’re using could be vulnerable?
Behind the scenes, websites operate many software components, including custom programming. The more components, the more complex, and the larger a website is, the easier it is for hackers to find vulnerabilities.
The most obvious website vulnerability would be the lack of a website certificate, that is, proof that the website uses encryption to communicate with visitors. Most browsers alert users when a website does not have a certificate.
This, however, was not the problem with Equifax. In the case of Equifax, hackers used a much more sophisticated vulnerability, one that the company took months to identify, one that no website visitor could have detected.
Why is this haul of data particularly useful/valuable for hackers? What could happen with it now that it’s in the hands of hackers?
The information stolen from Equifax is some of the most valuable information for hackers: social security numbers, license driver numbers, full names, addresses, and related data. This trove of information allows criminals to impersonate the identity of others to request loans, open credit card accounts, hack into bank accounts, steal social security benefits and to commit other nefarious acts.
As the information makes its rounds through the hands of several criminals — sometimes bought and sold in the black market — expert fraudsters will categorize the data according to its value. For example, people with high credit ratings usually have wealth and do not check their credit scores frequently. These stolen pieces of information could be very lucrative for wrongdoers.
Now that Equifax is in “damage control” mode, they’re suggesting that users go to a site they created to see if they are among the users whose information has been compromised. Is this generally a good practice in these situations, considering they just had one website compromised?
Unless there is a third-party that we can trust more than Equifax — and there is none in this case — the Equifax remedial website is the only place where a person can find out whether or not their information was compromised. We must trust that Equifax has fixed its systems and that their remedial website is not compromised too.
What are some other options for people who want to know if their personal information has been obtained by hackers?
It is critical for all of us to periodically check our credit histories with the three credit bureaus, something that we are entitled to do for free once a year. It is also a good idea to sign up for identity theft protection but not necessarily through Equifax.
What is Equifax’s responsibility in a situation like this? Several stories have reported that users who go to the Equifax site to check on the status of their personal information have to click a box that cedes their right to sue the company. Is this ethical? Is it standard practice for companies in this situation?
The company should own up to its lack of diligence and protect consumers without any strings attached. This is not ethical but time will tell whether or not it is legal. If it is confirmed that users must give up some rights to sign up for identify protection with Equifax, they should certainly sign up with another provider to keep their options open.
Molina is the founder and executive director of the International Applied Ethics and Technology Association and serves on the board of the Electronic Privacy Information Center. He regularly comments on stories regarding privacy, ethics of tech companies and laws related to technology and information management.
For media inquiries contact Britt Faulstick, bef29@drexel.edu or 215.895.2617
