An anonymous security researcher has shown Motherboard evidence that they warned Equifax in December 2016, six months before its catastrophic breach, disclosing numerous elementary deficiencies in Equifax security that left all of its data vulnerable to being stolen.
The researcher was able to download Equifax's files on "hundreds of thousands" of Americans and showed them to Equifax. The researcher was able to gain access to a public-facing employee portal by exploiting an easy-to-discover bug that was the result of an oversight on Equifax's part. It wasn't the only showstopper bug in Equifax's defenses: the researcher also warned Equifax about five servers on which they were able to seize shell access. Other servers were vulnerable to common tactics like SQL code-injection attacks, and across the board, servers were indifferently and unevenly patched.
Equifax never acted on these warnings.
Motherboard's Lorenzo Franceschi-Bicchierai spoke to several Equifax sources who described a culture of IT negligence and neglect, in which security audits and warnings were routinely disregarded, and where IT staff were unable to believe that their employers were so cavalier with the sensitive data the company had amassed.
On Monday night, the Republican-controlled Senate voted to rescind a consumer protection rule that guaranteed Americans the right to sue negligent and fraudulent financial institutions. As a result, it will likely be impossible to initiate a class action suit against Equifax.
"It's a strange company. Given the amount of data they have access to and the sensitivity of it, security isn't at the forefront of everybody's mind, not how it should be," another former Equifax cybersecurity employee told me. "It was always a bit of a struggle there to get anything done."
The anonymous researcher who could've downloaded all Americans' data knows this very well.
"I couldn't believe it, it was shocking," they told me. "It was just disgusting to see them take this long to do anything about it."
Equifax Was Warned