The breach of personal information from credit monitor Equifax is much worse than the public probably realizes, a leading cybersecurity expert said on Nevada Newsmakers in a recent interview.
“Whatever you’ve heard about Equifax, it’s much worse,” said Ira Victor, a digital forensic analyst for DiscoveryTechnician.com.
First, Equifax executives knew of the breach months before they first reported it early this month, he said.
Also, the special support website Equifax set up so customers could see if their personal information (Social Security number, birth dates, and even driver’s license numbers) has also suffered breaches, Victor said.
The breach on Equifax’s support website has the potential to even be more sinister since it also asked for the last six digits of your Social Security number to find out if you were compromised.
“Equifax has set up a site that politicians across the country and in Nevada have told citizens to visit to see if they have been breached and sign up for this Equifax service,” Victor said. “That site has terrible data security and I saw it within five minutes after going to that site the day the breach was announced. It is so bad that even if you have slight computer skills, you can see the site has poor security.”
Equifax knew of the breach months before it was announced, Victor said.
“They knew for weeks,” he said. “It is not like they found out in the morning and threw this (support) website together. They knew for weeks that they had been breached. And this is part of the worst news that has just come out within the last few days that Equifax, said ‘Oops, we thought the intruders were in there in May, but they were there months before.’”
Recently, the Minneapolis Star Tribune reported that Equifax learned about a major breach of its computer systems in March — almost five months before the date it was publicly disclosed.
The revelations of a March breach also will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives, the Star Tribune reported.
August regulatory filings show senior Equifax executives sold shares worth almost $1.8 million in the month before the breach was announced, making the executives vulnerable to charges of insider trading, according to the Star Tribune.
“We had senior (Equifax) executives that were dumping their shares and they said, ‘No, there was no connection to the breach because that (stock sale) was planned before it was discovered,’” Victor said. “So now that calls into question, what did they know about this in March?”
The U.S. Justice Department has opened a criminal investigation into the stock sales, according to the Star Tribune. Equifax has said the executives had no knowledge that a breach had occurred when the transactions were made.
Behind the numbers
The Equifax breach has impacted 143 million U.S. consumers, according to reports. But it is just one factor in a larger crisis, Victor said.
“What we are seeing with Equifax is the tip of the iceberg — about how bad the data security system is in our country and around the world,” Victor said.
Cybercrime is expected to cost global businesses $8 trillion over the next five years, according to Juniper Research, whose clients include IBM, Intel, Verizon and T-Mobile.
“This is just like a train wreck, but worse,” Victor said.
“The main Equifax website, the one that was always running even before this breach happened, security researchers have looked at that site and found serious security problems,” he added.
Victor said he is often asked why can’t companies “figure out” cybersecurity.
“This is the reason why: All these big and small companies have an approach to data security that they have been using for 40 years,” Victor said.
“They take a highly insecure system, a Windows computer, a Windows system and routers — and all of these systems were engineered to be open and inter-operational,” Victor said. “Then someone in IT (information technology) says we need to add security over this. So they place these gizmos on top of an insecure system. And when you take a fundamentally insecure system and add more gizmos on top of it, you add complexity. You make the system less secure.
“There was a large breach a few years ago in the state of South Carolina when their entire income tax data was breached,” Victor added. “All that data for their state income tax system was made available for cybercriminals.The answer from the political officials was, ‘We’re buying more firewalls.’ So they’re buying more gizmos to add on to the insecure system.
“The definition of insanity is that you keep trying the same thing and expect a different result and that is what we are seeing,” Victor said.
All data and credit reporting companies “are using the same security model,” Victor said.
“They take an insecure system and add on complexity and somehow magically, it is going to be more secure — but it is less so,” he said.
Ray Hagar is a journalist for “Nevada Newsmakers.” More information on the public affairs broadcast program, podcast and website is available at nevadanewsmakers.com