mobile-bannertablet-bannerdesktop-banner

Equifax: Whodunnit, How They Did It, and Why the CEO Won’t Go to Jail

Sep 16, 2017

The Equifax debacle is looking like the data equivalent of the Deepwater Horizon oil disaster. Personal information is gushing all over the Internet, and the more we find out, the worse it looks.

It's been nine days since the credit bureau revealed it lost control of sensitive data of over 143 million people, and here's what we've learned so far: The hackers came in through a vulnerability in the website frame work called Apache Struts; however, as Ars Technica's reliable security journalist reports, a fix for this flaw has been available since March 6. In other words, Equifax had ample opportunity to patch its systems but apparently failed to do so. It also appears the website Equifax offered consumers to see if they've been breached was also vulnerable to hackers.

Meanwhile, hackers are already purporting to sell some of the data on the dark web (it's unclear if it's authentic), and security dangers are popping up on Equifax's overseas sites—it turns out the company used "admin" for the login and password of its Argentine database. And for those of you who bought credit protection from Equifax, it looks like the hackers grabbed your credit card numbers.

As for who stole the data, "attribution is tricky" as the cyber experts say. Early guesses suggest a nation state might be responsible since Equifax has hired security company FireEye, which is known for its work tracking Chinese and North Korean hackers. But that's just speculative. (Check out the always excellent @SwiftonSecurity Twitter account for more on who did or didn't do it).

Finally, there's the question of whether anyone is going to be held accountable for the worst data breach in history. Don't get your hopes up that CEO Richard Smith, who has cashed in about $70 million worth of Equifax stock, is going to face any sort of justice. That's because, unlike when it comes to food or the environment, there are no criminal consequences for executives who massively mishandle data.

It doesn't have to be this way. As I argue in a legal analysis of the issue, the time is ripe to expand so-called "strict liability" and the "responsible corporate officer doctrine" to companies whose primary business is personal data. But until Congress passes new laws, Smith and others can rest easy about their data incompetence. In the meantime, the rest of you can rely on guides like this one to protect your credit.

Jeff John Roberts

@jeffjohnroberts

jeff.roberts@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune's daily tech newsletter. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

Facing down Face ID: Apple's new technology will open your iPhone X but also a Pandora's Box of privacy dangers. Think rogue cops, muggers, or jealous partners—all can unlock your phone just by pointing it at you. Robert and I got into it on this week's tech debate (he loves Face ID, I don't). Meanwhile, here's how Face ID works with sunglasses and your evil twin.

Oh, those Russians: Kremlin mischief-makers are better at news and social media than many American outlets. Case in point: Russia created the most popular Texas secession page on Facebook, and riled up some significant anti-immigration rallies on U.S. soil. This is not great news for Facebook, though, as Congress is asking what the heck is going on, and special prosector Robert Mueller came calling.

Bitcoin gone batty: It was another nutty week for our favorite crypto-currency. After getting dissed by Jamie Dimon and banned in China, bitcoin briefly fell below $3000. It's since recovered to around $3,600 but that's still off its historic high of $5,000—which was only two weeks ago! Most longtime crypto watchers feel bitcoin will be back (it always comes back!) but if you share Dimon's view that the whole thing is a fraud, we made this handy guide on how to short it.

Did you get the (secret) message? The quest to build secure communication tools—messaging apps, in particular—remain a big area of interest to the cyber crowd. We at Fortune like Signal best but if you want to get the bigger picture, the Baffler has a close look at Telegram (popular with journalists and ISIS) and the spooks who help fund these apps. Meanwhile, the app Confide, well-liked by White House and corporate types, introduced encrypted and screenshot-proof video messaging.

Share today's Data Sheet with a friend:

http://fortune.com/newsletter/datasheet/

Looking for previous Data Sheets? Click here.

ACCESS GRANTED

"The tech industry has also benefited for years from its enemies, who it cast — often accurately — as Luddites who genuinely didn’t understand the series of tubes they were ranting about, or protectionist industries that didn’t want the best for consumers. That, too, is over ... This has led to a kind of Murder on the Orient Express alliance against big tech: Everyone wants to kill them."

Ben Smith, editor of BuzzFeed, charts how political winds are shifting against Silicon Valley's behemoths—Google, Facebook, Amazon and Apple—and their public popularity will start to erode. If Smith is right, this will have implications for the firm's data, privacy, and security practices. 

ONE MORE THING

More dogs please. Too much of social media is a heaving mess of outrage and nastiness. Thank goodness, then, for the animals who intersperse themselves amidst all the political shouting. If you too need to cleanse your palette, meet Kohl, the Boise State pooch who retrieves tees after football kick-offs. Or watch one more time as "good boy" golden retriever Storm rescues this fawn from drowning.

All products and services featured are based solely on editorial selection. FORTUNE may receive compensation for some links to products and services on this website.

Quotes delayed at least 15 minutes. Market data provided by Interactive Data. ETF and Mutual Fund data provided by Morningstar, Inc. Dow Jones Terms & Conditions: http://www.djindexes.com/mdsidx/html/tandc/indexestandcs.html. S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions