Five questions about the massive Equifax breach

The Equifax breach is potentially of a scale and scope the country has never seen, with a hacker pilfering up to 143 million people’s names, addresses, Social Security numbers and other personal information.

The situation is still fluid, however, and many important questions — even some that seem to be answered — are not entirely resolved.

Here are five outstanding questions about the Equifax breach. 

How many people were really affected? 

Many experts worry Equifax’s statement about the breach did not give the technical information needed for a full understanding of what happened. Nowhere is that more clear than the widely repeated statistic that the breach may have “potentially impact[ed] approximately 143 million U.S. consumers.” 

In a carefully worded statement, that could be taken to mean that the hacker had access to files containing information on 143 million people — something different than a hacker actually accessing those files.

“A lot of us are asking, ‘what is the explicit extent of the breach?’” said cybersecurity researcher Kenneth White. 

“Were there actually 143 million people in the files that were accessed? Was access to those files logged?” 

Without more data it is hard to say whether 143 million people had all of their personal stolen or if that is just an upper boundary of what could have been possible.

Equifax did not respond to a request for comment.

Why were the Equifax sites were designed so strangely?

Immediately after the breach was announced, security researchers began to notice unusual features of the Equifax and breach notification websites. 

The breach notification site, for example, was based on WordPress, the off-the-shelf web design program. WordPress is not insecure on its face, but it is also not the first choice program of most security minded designers with weeks of preparation time.

“This has a lot of the smell and feel of a hastily put together publicity site,” said White.

White noted that the breach notification site made the odd decision to be a standalone domain (equifaxsecurity2017.com) rather than be host the site on the Equifax domain.

By making that decision, the website was not immediately recognized by web browsers like Chrome and web infrastructure companies like Open DNS as a legit site. Instead, as people went to see if their data was accessed, they were greeted with warnings the site was a suspected phishing scheme.

“For years we’ve been educating people not to enter their personal information into sites they have never visited before to protect them from phishing,” said Shuman Ghosemajumder, chief technology officer of Shape Security. “And that’s exactly what the notification site asks people to do.”

The main Equifax site, too, raised a few eyebrows. White found the source code to certain pages contained references to Netscape Navigator, a web browser that has not been updated since 2008.

Researchers have also found that developers-eyes-only information, known as stack traces, for the Equifax site were visible to Google and indexed by the search giant. The stack traces would give valuable information about potentially out-of-date components in the site’s innards attackers could use to breach it.

“I’m surprised this wouldn’t be caught in a standard pen test,” said White. 

Will it cause people to rethink using Social Security numbers as a national ID? 

Social Security numbers have become a de facto identification code in the United States, used for everything from tax returns to medical records. But the codes are not a particularly secure form of universal ID. 

Like name, address and birthday, when Social Security numbers are stolen, they cannot be easily changed. One breach, and they are no longer secure. 

“I think we were getting to the point where we’d need to replace Social Security numbers as identification even before the breach, but this will be the end,” said Ghosemajumder.

But it is unclear what would replace the Social Security number as a standardized ID if it fell from public use. 

Will the forced arbitration clause controversy scare people away from credit monitoring?

Equifax is offering a free year of identity protection services to those protected by the breach through its TrustedID product. Depending on whom you ask, that service might come with a major catch.

TrustedID’s terms of service agreement says that enrollees must use arbitration rather than civil courts to settle any disputes, and cannot seek class action arbitration. Critics of arbitration say that the privatized system favors companies rather than consumers. 

Equifax claims that the arbitration clause only applies to the TrustedID service. But many consumers and even lawmakers worry that the clause will be used to squelch class action suits against Equifax over the original breach.

“It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place,” said Sen. Sherrod Brown (D-Ohio). 

“If Equifax is genuine about wanting to protect customers, it must remove forced arbitration immediately from TrustedID and any other services offered to victims of the data breach.” 

After conversations w my office, @Equifax has clarified its policy re: arbitration. We are continuing to closely review. pic.twitter.com/WcPZ9OqMcL

— Eric Schneiderman (@AGSchneiderman) September 8, 2017

What should be done to prevent further breaches?

It is too early to say what mistakes, if any, led to the Equifax breach, or even if the breach was the result of a mistake by the company.

But the incidents raises questions about breach preparation and breach response that are difficult to answer.

Few if any of the 143 million people potentially impacted by Equifax are knowing customers of the service. Unlike a breach at a bank or department store, the people who were impacted by the breach cannot chose to use a different service in response. Market forces do not directly impact the company or its customers in the same way as other breaches.

“That detachment is something exemplified by the process of notification,” said Ghosemajumder.

“They don’t have a direct relationship with customers. So instead of sending out emails to tell everyone they had been breached, they are relying on 143 million people visiting their website and checking for themselves.”

The potential for harm in the breach of a data broker is extraordinary, in this case potentially leaving 143 million people vulnerable to identity theft, scams, stolen property and accounts and other problems.   

That, said Mark Testoni, president of SAP National Security Services, might mean it is time to treat data brokers differently than other businesses. 

“We need to start looking at these assets like critical infrastructure,” he said.

“We need to contemplate whether or not there was a policy change that could have made a difference.”