By Jeff John Roberts
September 16, 2017

The Equifax debacle is looking like the data equivalent of the Deepwater Horizon oil disaster. Personal information is gushing all over the Internet, and the more we find out, the worse it looks.

It’s been nine days since the credit bureau revealed it lost control of sensitive data of over 143 million people, and here’s what we’ve learned so far: The hackers came in through a vulnerability in the website frame work called Apache Struts; however, as Ars Technica’s reliable security journalist reports, a fix for this flaw has been available since March 6. In other words, Equifax had ample opportunity to patch its systems but apparently failed to do so. It also appears the website Equifax offered consumers to see if they’ve been breached was also vulnerable to hackers.

Meanwhile, hackers are already purporting to sell some of the data on the dark web (it’s unclear if it’s authentic), and security dangers are popping up on Equifax’s overseas sites—it turns out the company used “admin” for the login and password of its Argentine database. And for those of you who bought credit protection from Equifax, it looks like the hackers grabbed your credit card numbers.

As for who stole the data, “attribution is tricky” as the cyber experts say. Early guesses suggest a nation state might be responsible since Equifax has hired security company FireEye, which is known for its work tracking Chinese and North Korean hackers. But that’s just speculative. (Check out the always excellent @SwiftonSecurity Twitter account for more on who did or didn’t do it).

Finally, there’s the question of whether anyone is going to be held accountable for the worst data breach in history. Don’t get your hopes up that CEO Richard Smith, who has cashed in about $70 million worth of Equifax stock, is going to face any sort of justice. That’s because, unlike when it comes to food or the environment, there are no criminal consequences for executives who massively mishandle data.

It doesn’t have to be this way. As I argue in a legal analysis of the issue, the time is ripe to expand so-called “strict liability” and the “responsible corporate officer doctrine” to companies whose primary business is personal data. But until Congress passes new laws, Smith and others can rest easy about their data incompetence. In the meantime, the rest of you can rely on guides like this one to protect your credit.

Jeff John Roberts


Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my, PGP encrypted email (see public key on my, Wickr, Signal, or however you (securely) prefer. Feedback welcome.


You May Like