Security Breach At Equifax & Lessons To Learn From It

by phorneker

I first heard about the network breach at Equifax from watching the September 8 episode of CBC's The National on YouTube. My first thought was "this could not be happening", especially in the era of news where distinguishing truth from fiction is difficult. Then yesterday, I got an e-mail from my bank regarding the breach. Then, I decided to investigate this for myself.

The rumors were confirmed true with a visit to Equifax's website. (Source: http://www.equifaxsecurity2017.com)

Before Equifax transitioned its credit reporting services to an online only operation (starting in 1998), one could go to a local credit bureau and get a credit report. Back then, you could pay $8.00 for a copy of your Equifax report, and if you had been denied credit in the past sixty days, that report was free.

From 1993 to 1998, I worked in one of those local credit bureaus, first as a data entry clerk in charge of public records, as well as having been the Information Technology person for the local bureau.

Among things I accomplished here was the development and maintenance of credit reporting software (as a stand alone application, and as software to report data from customer databases).

When I first came to the local bureau, our setup was a network of 3270-compatible terminals manufactured by Harris Technologies (the 9100 series) connected to a hub where the configuration of the 3270-compatible terminals and the hub was stored on a single 5.25 inch floppy disk. The hub communicated to the Equifax network through a dedicated phone line and a 56k modem. There was also a line printer connected to the hub, and was about the size of a vanity fixture for a small bathroom (cabinet included). The paper (11 x 17 inches) was fanfold and was fed from underneath the printer.

In 1996, that setup was replaced with a 75Mhz Pentium machine for the hub, running OS/2 2.1, and 50Mhz 486 systems for the workstations, all equipment IBM branded with the workstations running PC-DOS 6.3 and custom 3270-emulation software. The machines had Windows 3.11 installed, but Windows was never used. The printer was replaced with a standard IBM branded printer that had a wide carriage. That printer was connected to a workstation where consumers came in to get their credit reports.

At that time, my home machine was a Compaq Presario 425 running OS/2 Warp 3.0, and this was two years before I started using Linux (with Red Hat 5.2).

The bureau where I worked was also a collection agency, and the computer setup there was a Digital (now HP) PDP-11 running Digital UNIX for the operating system and FACS for the collection software. Users interacted with it through Televideo terminals (VT-100 compatible). In addition, there were two internal networks running Netware 3.x. One of those was for general business use with various 486 machines running Netware 3.x on Windows 3.11, and a single HP Deskjet 870cse for shared printing. The other was a single server, an AcerFrame 500 running Netware 3.x with three workstations connected to it for processing of mortgage applications. The workstations were 386 machines that I rebuilt with the operating system and networking software on a single floppy. (This was an early version of the thin client concept for networking computers.)

When the office closed down, I got the AcerFrame 500 and the DeskJet 870cse as part of my severance package. It was this machine that I rebuilt from a mortgage processing server into a Red Hat 5.2 workstation. (I had to install a CD-ROM drive in order to install Linux.)

...and that was my working relationship with Equifax.

Today, I checked out the job offerings in their IT department and learned that Equifax deemphasized the IBM mainframe and focused more on Web technologies, using a combination of Oracle (for Java and OracleDB) and Microsoft products (specifically the .NET framework).

In my opinion, the Equifax system was far more secure back in the 1990s when credit files were stored on IBM mainframes and accessed through custom software, than the solutions implemented by Equifax today. Knowing the reputation of C# and the .NET framework, using C# was quite a risk itself in terms of security, let alone stability.

We have Java in the PCLinuxOS repository, and it is quite secure and stable, so we can rule out Java itself as a factor in what happened with the security breach.

Then comes the question of how often Equifax's IT infrastructure is kept up to date. In the past few issues of this magazine, we have emphasized the importance of keeping our systems up to date and secure (including the advice discouraging third party software installation).

The mainstream media emphasizes purchasing and keeping Windows up to date, (as well as making sure the copy of Windows is registered with Microsoft.) The fact that we are using PCLinuxOS is proof enough of how ignorant the mainstream media is when it comes to keeping our information technology infrastructure working properly.

A more famous example of what I am talking about is what happened with a UK health care facility when their entire network of machines became infected with the WannaCry malware. This was a result of indifferent management and indifferent policy when it comes to IT maintenance.

Credit files (as well as medical records) contain personally identifiable information that should always be kept confidential and revealed only to those with a legitimate need for that information. One would think that security would be the main priority when it comes to the IT infrastructure. Knowing that the Windows philosophy was always built on convenience rather than security, it is up to the people in charge of IT to do what they can to make the infrastructure as secure as possible, even if it means additional costs for added security.

The articles about security in the past few months of this magazine are examples of what we can do as users of PCLinuxOS to make our systems as secure as possible, and they do not cost a thing to implement.

I cannot say what Equifax does, or more specifically what their IT department does, to keep their infrastructure up to date and secure, but I do know that the closure of local bureaus has saved Equifax millions of dollars in expenses over the past twenty or so years.

But at what cost?

Implementing an online only solution to credit reporting was a good idea at the time, but with it came some inherent risks and costs.

First, placing any data as sensitive as credit information on the Internet comes with the inherent risk of data breaches, as the technology to access data is constantly evolving, and that no security mechanism is perfect no matter how old that security mechanism is.

Second, there is a cost of consumer trust and confidence in credit bureaus. When Equifax maintained local bureaus (the same applies to TransUnion and Experian), people had face to face contact with the credit bureau as there were people staffed in the office ready to help the consumer right there and then. Dispute cases were opened on site and processed on site. One could put trust in the credit bureau to help solve credit problems, because people were there to solve these problems.

Now, with the online presence, relations with the consumer could not be more distant or faceless. What a price to pay to save a few dollars.

When we think about it, the same could be said for social media in general. A CNN report not too long ago was about a generation of people who are so addicted to social media and the smartphones used to access that social media, they may be standing next to one another and yet be so isolated as if they were thousands of miles apart.

While we have the PCLinuxOS Forum to interact with one another, it is more important that we take a break often and actually live in the real world. PCLinuxOS will still be there and (if funded properly) will be there for the next generation of Linux users.

Editor's Note: If you are worried that your data may have been a victim of the Equifax data breach, you can securely check to see if your data was involved here, at Equifax's TrustedID site. Just enter the requested data, and you will immediately receive an answer.