News - September 21, 2017 - by Ray Hagar
By Ray Hagar
The breach of personal information from credit monitor Equifax is much worse than the public probably realizes, a leading cyber security expert said on Nevada Newsmakers Thursday.
"Whatever you've heard about Equifax, it's much worse," said Ira Victor, digital forensic analyst for DiscoveryTechnician.com.
First, Equifax executives knew of the breach months before they first reported it early this month, he said.
Also, the special support web site Equifax set up so customers could see if their personal information (social security number, birth dates and even driver's licenses numbers) has also suffered breaches, Victor said.
The breach on Equifax's support web site has the potential to even be more sinister since it also also asked for the last six digits of your social security number to find out if you were compromised.
"Equifax has set up a site that politicians across the country and in Nevada have told citizens to visit to see if they have been breached and sign up for this Equifax service," Victor said. "That site has terrible data security and I saw it within five minutes after going to that site the day the breach was announced. It is so bad that even if you have slight computer skills, you can see the site has poor security."
Equifax knew of the breach months before it was announced, Victor said.
"They knew for weeks," he said. "It is not like they found out in the morning and threw this (support) web site together. They knew for weeks that they had been breached. And this is part of the worst news that has just come out within the last few days that Equifax, said 'Oops, we thought the intruders were in there in May, but they were there months before.' "
Earlier this week, the Minneapolis Star Tribune reported that Equifax learned about a major breach of its computer systems in March — almost five months before the date it has publicly disclosed.
The revelations of a March breach also will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives, the Star Tribune reported.
August regulatory filings show senior Equifax executives sold shares worth almost $1.8 million in the month before the breach was announced, making the executives vulnerable to charges of insider trading, according to the Star Tribune.
"We had senior (Equifax) executives that were dumping their shares and they said, 'No, there was no connection to the breach because that (stock sale) was planned before it was discovered," Victor said. "So now that calls into question, what did they know about this in March?"
The U.S. Justice Department has opened a criminal investigation into the stock sales, according the Star Tribune. Equifax has said the executives had no knowledge that a breach had occurred when the transactions were made.
The Equifax breach has impacted 143 million U.S. consumers, according to reports. But it is just one factor in a larger crisis, Victor said.
"What we are seeing with Equifax is the tip of the iceberg -- about how bad the data security system is in our country and around the world," Victor said.
Cyber crime is expected to cost global businesses $8 trillion over the next five years, according to Juniper Research, who clients include IBM, Intel, Verizon and T Mobile.
"This is just like a train wreck, but worse," Victor said.
"The main Equifax website, the one that was always running even before this breach happened, security researchers have looked at that site and found serious security problems," he added.
Victor said he is often asked why can't companies "figure out" cyber security.
"This is the reason why: All these big and small companies have an approach to data security that they have been using for 40 years," Victor said.
"They take a highly insecure system, a Windows computer, a Windows system and routers -- and all of these systems were engineered to be open and inter-operational," Victor said. "Then someone in IT (information technology) says we need to add security over this. So they place these gizmos on top of an insecure system. And when you take a fundamentally insecure system and add more gizmos on top of it, you add complexity. You make the system less secure.
"There was a large breach a few years ago in the state of South Carolina when their entire income tax data was breached," Victor added. "All that data for their state income tax system was made available for cyber criminals.The answer from the political officials was, 'We're buying more firewalls.' So they're buying more gizmos to add on to the insecure system.
"The definition of insanity is that you keep trying the same thing and expect a different result and that is what we are seeing," Victor said.
All data and credit reporting companies "are using the same security model," Victor said.
"They take an in secure system and add on complexity and somehow magically, it is going to be more secure -- but it is less so," he said.
Victor says there are ways for consumers to fight back:
Don't give out personal information so easily: "When a business asks you for your personal identifiable information, stop for a second and say, 'Wait a minute, can't you give me a unique number that is in your data base as my customer number? Why do you need my social security number for me to do business for you?' People need to start pushing back."
Freeze your credit accounts: "Unless you are going out and applying for loans month after month, it does not hurt to do a credit freeze," Victor said. "You can send a letter to Transunion or Equifax and say I want my credit frozen for the next 90 days and they have to do that for free. What people can do is print out a year's worth of those letters and then put them in an envelope and date them. Then you send them out four times a year. When the three months is up, send those letters out again and all it cost is three or four stamps and it is much less expensive than someone getting your information."
Don't be a fool: "You can make a difference, you can actually make it harder for the bad guys to get to you," Victor said. "And if the bad guys don't get to you, they will get to somebody else. And, I'm sorry to say, the person who says they don't care, let them be the one who is compromised."