Thoughts on the Equifax Data Breach

Categories: Security

In 2017, a large amount of data was stolen from Equifax, a US-based company specializing in online creditworthiness checks. In September 2018, a report on the issue from the US Goverment Accountability Office (GAO) was finally released.

One good news article on the subject is from The Register. It is typical in that the emphasis is placed on two issues:

  • The failure of a system-monitoring tool to detect unusual behaviour within the company network, due to an expired SSL cert.
  • The failure of internal processes intended to detect software packages with known security holes (Struts in this case)

However in my opinion, there are more significant issues which I discuss in detail here.

UPDATE: A subcommittee of the US Senate have released a further paper on the topic; I have therefore updated the article referenced above.