It doesn’t matter if China hacked Equifax

On Monday the FBI and AG Barr announced “an indictment last week charging four members of the Chinese People’s Liberation Army (PLA) with hacking into the computer systems of the credit reporting agency Equifax and stealing Americans’ personal data and Equifax’s valuable trade secrets.” China’s military refutes the charges.

It was a message of PR reprieve for the skinsuits at Equifax, who spend their life cycles profiting from tracking and trading our personal and financial information (and we’re powerless to stop them). Especially now as we’re seeing reports about how four Chinese hackers “took down Equifax.”

That sure sounds a lot better (for them) than the fact that Equifax’s security failures were so bad for so long that a breach was inevitable. One month after Equifax admitted the breach, press and pundits remarked on the multitude of issues saying it was probable “that more than one group of hackers broke into the company.”

Yeah, something makes me think China’s hackers are more of the “hoarders” variety, not the ‘sing Kumbaya’ sharing kind — and our stolen Equifax data was definitely shared. “Katie Van Fleet of Seattle she’s spent months trying to regain her stolen identity, and says it has been stolen more than a dozen times,” reported NBC. “I didn’t sign up to use Equifax, so I feel all of that stuff has been taken, and now I am left here trying to sweep up the pieces and just trying to protect myself and protect my credit,” Van Fleet said.

And that’s the thing: None of us signed up for Equifax. Yet here we are.

Stop me if you’ve heard this one

Google wifi and iCloud illustration

In late 2017, the plucky little credit bureau that built its business nonconsensually getting dirt on Americans in order to deny them insurance claims (Equifax) suffered a wholly predictable calamity, endemic to powerful corporations whose engines are fueled by arrogance, hubris, and greed.

In early September 2017, Equifax was forced to reveal a breach it had known about for months. It impacted approximately 143 million U.S. consumers, as well as information on some Canadians and up to 44 million British residents, putting the total just shy of 200 million.

The stolen files were described as “records.” But by early 2018 Equifax was forced to admit “records” meant our names, home addresses, dates of birth, Social Security numbers, credit records, drivers licenses, passports, and really, just everything.

By March 2018, the company revealed it found a few more breach victims in its couch cushions. “In September last year Equifax said it had discovered that 145 million US customers may have had their information stolen,” BBC cavalierly reported. “Its investigation into the breach has revealed that the details of a further 2.4 million Americans went astray.”

The company had been warned by a security researcher to fix its vulnerabilities months before the first attack was alleged to have happened. That researcher shared their findings with press, showing that a public web portal allowed anyone “with no authentication whatsoever … to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence.” What’s more:

While probing Equifax servers and sites, the researcher said that they were also able to take control—or get shell access as hackers refer to it—on several Equifax servers, and found several others vulnerable to simple bugs such as SQL injection, a common, basic way of attacking sites. Many servers were running outdated software … Equifax had thousands of servers exposed on the internet…

The researcher reported all of this to the company. “If it took me three hours to find that website, I definitely think I’m not the only one who found it,” they told Motherboard. “It wasn’t just one breach. It was maybe dozens.”

Six months after that first researcher notified the company about the vulnerability, Equifax patched it — but only after the massive breach had already taken place, according to Equifax’s own timeline.

When called in on the carpet for a congressional hearing about the privacy and consumer identity apocalypse Equifax ushered into our cursed timeline, WSJ reported that Equifax’s temporary chief executive told Congress he wasn’t sure whether the company was encrypting consumer data. Equifax was indeed storing unencrypted user data on a public-facing server, and “didn’t encrypt its mobile applications either. — and when it did encrypt data, it left the encryption keys on the same public facing servers.”

Eventually, one big class-action lawsuit revealed that wasn’t all: we found out Equifax used ‘admin’ as a username and password internally.

But okay. They want us to blame China.

Chinese Hackers Equifax

The breach earned Equifax a lot of public humiliation — besides all the bad press, at least 240 lawsuits were filed. Still, it seemed like the company liked that sort of thing. Security company FireEye quietly removed its boasting about protecting Equifax from its website, but was still hired to handle Equifax’s incident response.

Equifax’s response to everything was a masterclass in how to do everything wrong.

Right after the breach, it came out that Equifax had been rated an “F” in app security; the company responded by silently disappearing its apps from the Apple App Store and Google Play (Android).

Equifax tried to blame the breach on a single vulnerability in Apache Struts; Apache wasted no time releasing a statement showing Equifax was to blame for not patching it. The company had been notified about it six months before the alleged incident occurred.

Within an hour of the breach’s public admission, information emerged that three Equifax executives sold stock just before the breach and after the company had internal knowledge of the incident (a month prior to the public acknowledgement).

Speaking of profiting off our pain… One of the engineers who worked on coding Equifax’s “” website was found to have abused people’s information for insider trading Equifax stock. This was the WordPress site Equifax sent consumers to, to find out whether they were impacted by the breach. It was totally broken: Visitors got different answers with every query. It also told visitors that Equifax’s credit monitoring service was not available, and to check back later in the month; many noticed you could enter any gibberish to get the same answers.

It also seemed for a while that those who signed up for credit monitoring waived some legal rights.

Then, the $700 million data breach settlement. This turned into $125 per person. Except Equifax only planned to pay 248,000 of the actual victims — and over four and a half million applied, bringing the payout down to $6.80 per victim.

Stock in golden parachutes is way up


From any angle, we consumers — none of whom consented to being in Equifax’s databases — got the worst of it. Equifax was pwned in a completely stupid and avoidable way and are now the biggest plop in the swirling toilet bowl of our modern privacy apocalypse.

Even though officials were mad at Equifax for a minute and consumers want to burn them to the ground and salt the earth, they’re doing just fine. NY Post reported that the company’s big corporate clients are giving the despicable data dealers a pass. “The embattled credit bureau said Friday it hasn’t lost any significant business.”

The outlet reminded us, “Equifax largely does business with banks and other financial institutions — not with the people they collect information on.” According to GovTech, “A year after the worst data breach in U.S. history to date, Atlanta-based Equifax has been chastened, but its business model is unchanged and the company churns on, virtually undamaged by legislative, regulatory or prosecutorial penalties.”

Equifax got a “get out of jail free” card: The Consumer Financial Protection Bureau decided not to do a damn thing about it. Former Director of the CFPB Richard Cordray had authorized an investigation, Reuters wrote, “But Cordray resigned in November and was replaced by [Mick] Mulvaney, President Donald Trump’s budget chief.”

Mulvaney, head of the CFPB, pulled the agency back from doing a full-scale probe and indefinitely suspended plans for on-the-ground tests on how Equifax protects its data. “The CFPB also recently rebuffed regulators at the Federal Reserve, Federal Deposit Insurance Corp and Office of the Comptroller of the Currency when they offered to help with on-site exams of credit bureaus,” reported Reuters.

So, I’m sorry Scooby gang. It doesn’t matter who hacked the “credit risk assessment” company no one can opt out of. Old Man Equifax is going to get away with it.

Imagine a company with the dated incompetence of Yahoo security circa 2013-14. The arrogance and greed, growth-at-all-costs-to-society hubris of Uber circa 2009-2017. The “hot or not” contempt for human beings and rapey privacy machinations as Facebook circa 2004-present.

Equifax, for being the world’s oldest, old-timey, redlining-era, data-plantation owner (circa 1899) that couldn’t even set up a WordPress site in 2017 sure knows how to keep up with the techbro Jonses. Loads of money and zero consequences has a way of keeping you nimble like that.

It’s quite insane, really.

Images: Jaap Arriens/NurPhoto via Getty Images (Equifax / Matrix); AP Photo/Jacquelyn Martin (AG Barr); cthoman via Getty Images (Golden )

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.