Saturday, October 21, 2017

Equiflop 101

You guessed it, someone is dropping the ball again.

Canadian "customers" of Equifax are receiving a letter today informing them that without any doubt, their sensitive data has been exposed.

What remains stunning is the lack of comments from our privacy commissioner and each and every bank that is sending our sensitive data to inadequately vetted third parties, who appear to be sending our personal data into another country.

Regardless of the claims that perhaps if the moon is lined up, only people with US banking would have had their data exposed, then why would these peoples PASSWORDS and SECRET QUESTIONS be stored on a US system ???

This indicates seriously flawed architecture, that not only violates common sense, but also violates data residency laws.

Equifax continues to offer a complimentary 12 month subscription to their identity theft solution, which in my view is a criminal act since they should be closed down, or be giving for free to everyone until we are all dead since the information exposed CANNOT BE UNEXPOSED.   My social insurance number, birthdate and mothers maiden name will never be changed.

The fact the passwords have been exposed including the responses to secret questions which are even more sensitive then the password themselves also shows a serious lack of security in the overall design of their infrastructure.


1) Once again, we are not their customers, the banks are their customers as they send all our sensitive data to Equifax.   We havent heard a single word from the banks as to how they are going to ensure they no longer send our sensitive data to unqualified ass clowns who run a business using our data.  It is clear that the business model is not to offer a secure service, it is obviously a primary goal to offer a service and make money.  Our regulatory layer is sleeping through this, and each and every Canadian bank is to blame since they haven't come forward to tell you and I how they are taking concrete actions to safeguard our well being.

2) Equifax is sending off these nice letters telling us that WE are their priority.  This is complete nonsense.  We are way past having sunshine blown up our asses.  WE ALL KNOW that their priority is saving their asses and their investors asses.  Stop with the bullshit already.  That letter is a disgrace, offering 12 months of free service for something that will have life long affects on the people.  The reason we are seeing these types of responses is 100% because we are NOT their priority.  Their lawyers are reviewing these letters 20 times to minimise their exposure to lawsuits.

Here is how that letter should have read to score any positive points:

Dear Canadian Citizen,  we the board of directors of Equifax have taken charge following the significant security issues that have surfaced in the last months.   We have locked down the enterprise, fired all executives and are in the process of restarting the enterprise following concrete steps to ensure that the entrusted information handed to us by our partners is handled appropriately.

We have hired 5 security experts from 5 different enterprises who are overseeing our entire business process including our technological architecture for everything we do.

Every system accessible from the Internet has been shut down.  Only business-2-business communications remain along with our email and phone system.   All our offices no longer have access to the Internet.

Everything is being reviewed, and during this transition period, a toll free 1-800 number has been put in place to replace Internet type services with an actual highly trained customer service representative.

We have previously communicated that we would give out 12 months of free identity theft protection services and this was a mistake.  This service will be provided free of charge forever, for any citizen exposed during this breach.  Our core business is servicing the banks and it would be unethical to charge the citizens for a service that they now require because of our shortcomings.


I think you get the idea........

Equifax is so far from this that reading their letter is just plain upsetting.

Why haven't the banks and our privacy commissioner taken obvious and concrete steps to protect us ?

Why is our sensitive data still being sent to Equifax and their competitors without having a REAL vetting process.

By real I mean, NOT simply asking them if someone has audited them and if they have some certification.  The real security experts know that this is close to meaningless in publicly traded companies since management is always in "protect their ass" mode which results in people exaggerating (read here lying) about how well they do things.  

Equifax had several industry certifications (ISO, SOC 2 TPYE II, PCI, etc.), yet they are a disaster at all levels.

I'm talking about each bank sending their security experts over for an onsite audit and review of the entire Equifax architecture (and once again their competitors).

So why haven't they done it......   Simple.....   They too do not want the answer.  They rely on the data they get from Equifax to run their business and generate their revenu.  So once again, we seem to think that we are the banks "customers".... we are their product.

Our government needs to step up and stop protecting the big players and start making laws with some bite and start handing off fines and jail time for the senior executives who oversee these enterprises.  Letting incompetence rule is leading us down the wrong path.

Take the HIPAA law/regulation that helps protect healthcare data in the US.  This regulation was written by people who actually wanted things to change and had clearly been lied to in the past.

Three clear levels of penalties are presented.  

Level 1:  You shouldn't have known about an issue, yet had a breach, pay a fine.   
Level 2:  You should have known if you had an acceptable level of competence, pay a bigger fine.   
Level 3:  It's clear you knew you lying sack of shit, and didn't take charge, pay an even larger fine, and heck, go to jail too.


So what should we do, since our elected officials and our banking providers are not doing what they should.

Perhaps we all need to write a letter to Equifax and TransUnion and request that all our data be deleted from their systems.

I wonder how well that would go.

But lets use one of our existing laws instead.  In Quebec, our privacy laws does have some strict components, just no penalties.

Any enterprise that holds our data, must be able to tell us EXACTLY who has had access to our data (who has consulted it under all forms) and who has modified it.

I wonder if Equifax and TransUnion can actually tell me EVERYONE who has had access to my data.  This goes beyond the application layer.  Who has accessed the operating system, who has accessed the database backend, etc.

Should we all send off a letter to Equifax and TransUnion asking a long series of very well thought out questions and see what comes of it.....

Maybe the answer is yes.....

And should we also send off a letter to our elected officials asking them to take action...

I think the answer is yes in both cases.

Should I write the first draft ?

Turns out I'm not the only one that seems to think that one gigawatt of electricity should flow through Equifax:

Equifax Deserves the Corporate Death Penalty

Something has to change, since big business have very little motivation to protect the citizens FIRST.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


Disposerons-nous un jour d'une carte d'identité numérique provinciale qui sécurise réellement vos opérations bancaires ?

  J'ai fait une entrevue ce matin sur QUB Radio basée sur un article du Journal de Montréal qui a été publié aujourd'hui et qui disc...