Equifax has terrible information security practices, and that resulted in multiple breaches

Originally published at: https://boingboing.net/2017/09/14/thrice-is-enemy-action.html

1 Like
  1. No oversight, because they’ve got key Congress-scum in their pockets
  2. No consequences because: see reason #1

Cynically, I predict a few mid-level IT staff will be canned, and the CEO will spend an uncomfortable few hours testifying before stern Congress-critters.

Other than that, it’ll be business as usual.

Except that some tens of millions of people will sign up for the “free” credit monitoring service, then forget to cancel it a year later, netting Equifux a sweet, delayed dividend for their depraved indifference.


What if I sent Equifax a cease and desist telling them to immediately purge all my data from their servers in light of their negligence?


They’ll tell you they did it.

Just like they tell their customers they follow security best practices.


Huge surprise: the vulnerability was in an app that lets Java and Apache talk to each other. Gee, you think they could have figured out a way to shoehorn Adobe Flash in there as well?


If you haven’t already done so, it is advisable to put a freeze on your Equifax file to prevent anyone from opening new accounts in your name. Normally it costs $5 or $10 but the fee has been waived in light of the latest security breach.
Here’s the number: (800) 349-9960 or you can do it online at the Equifax website.

Also, FYI: The website to check if you’re affected is bullshit. Here’s me putting in Smith and 123456 for name and last six of “my” SSN.
39 AM
47 AM


It’s unlikely, but not super unlikely that in a random sample of 143 million Americans you would find someone named Smith with that SSN.

Maybe try the same with last name Dystopia.

Apache Tomcat is the/a technology that lets Java and Apache HTTPD talk to each other. Apache Struts is an application framework, it can run on Java Application servers other than Apache Tomcat.

Since the issue was in Struts and not Tomcat this vulnerability likely has nothing to do with the Apache web server it self.


Apache is an umbrella group for a large number of open source projects, many of which are not directly related to serving web applications/pages. It’s easy to see Apache and think web server, I still tend to do that my self, then I get confused, then I remember like 90% of what Apache does now is unrelated to the Apache HTTPD project.

In my experience with dealing with large financial institutions many don’t keep separate test/development and production systems and databases. Often they just flag accounts in their production systems as ‘test’ accounts. This probably means that the credit check site is full of semi bogus name/SSN combinations that were used some time in the last 30 years to test some internal system. If you try Smith and 6 random digits you would probably not get a hit, but picking a pattern that is obviously fake makes it likely to hit test data. I’d bet there are also a lot of Smith 111111 and Smith 111112’s in the data as well.


Watch the responses from the server in a browser’s debug window. There was nothing like a yes or no, all the responses from the server were either “Unknown - check back later” or “Undefined”. The browser-side javascript picked which message to show.


Holy cow.

1 Like

yikes. that’s pretty bad.

i also saw some people on twitter saying that their real name and their real ssn resulted in different results at different times

I strongly suspect you don’t achieve piece of mind by working in IT for a bank that holds your money, or in the kitchen for a restaurant you frequent.

1 Like

Whenever someone complains about the Apache web server’s configuration format, I say “clearly you haven’t had to support Tomcat yet”. :wink:

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.