Early last month, credit reporting agency Equifax revealed that it has suffered one of the largest security breaches in history. More than 143 million American citizens have had their information compromised, with data ranging from banking information to social security numbers falling into the hands of the attackers. Currently, it’s unclear if the attack was state-sponsored – though given the specifics, that hardly matters.
See, the entire thing happened because of a security flaw in one of Equifax’s servers that it failed to patch. This isn’t the first time the firm has played fast and loose with financial information, either. A short time after the breach was unveiled, Brian Krebs of Krebs on Security discovered that one of Equifax’s web administrators had the password/username combo of admin/admin.
Anyone who opted to try that combination could then add or remove employee accounts from the system, in addition to viewing passwords, viewing the source code of the site, or accessing the personal data of anyone in the system. To call it an egregious flaw would be putting it lightly. It’s the sort of mistake you’d think would be in training manuals – the kind of thing no one should ever do.
The sad thing isn’t that Equifax practised such poor security. It’s the fact that they’re far from the only organization to do so.
Consider, for example, that 60% of the security flaws exploited by hackers are more than ten years old. That nine in ten organizations that had flaws exploited as part of a cyberattack had left them unpatched for three years or more. That the majority of cyberattacks aren’t the result of a sophisticated plan, but simply an exploit.
What makes the situation with Equifax so troubling is that it speaks to an unpleasant truth about the state of cybersecurity. Our data, no matter where it’s stored or with what company, is constantly at risk. We have no assurance that businesses are doing what’s necessary to keep our information safe and protect us from identity theft.
Equifax is far from the first major organization to fall under scrutiny for poor security practices, nor will it be the last. Until we have some means of more effectively taking organizations to task for failing to keep our information safe, breaches like this are still going to happen. In the meantime, the best that any of us can do is to keep track of our own data – and to ensure our own businesses are an exception to the sad state of the security space.