According to several international media sources, Equifax accidentally leaked roughly 40% of America’s population’s sensitive data. The leak contains more than 200,000 credit card numbers, 143 million driver licenses, social security numbers, birth dates, physical addresses, plus tons of other hyper sensitive data points.
If this is accurate, this is the largest leak throughout human history of sensitive and personal information, and the aftermaths of such an incident, would basically equal to an earthquake beyond 10.0 in Richter scale! Possibly 143 million people in the US need new driver licenses, 200,000 bank accounts needs to be closed, and new credit cards issued, and 143 million people now need new social security numbers. On a “Richter scale of security breaches”, this is the equivalent of having a meteor rip the Earth in two, and destroy all life on Earth.
There has been speculations about that the leak occurred due to SQL injection, and/or cross site scripting – Implying it was maliciously done by an adversary, consciously attempting to get to this information. If this is true, I must congratulate Equifax on having possibly created the most ridiculous and least secure IT system on the planet. It would be the equivalent of having all the gold bullion from Fort Knox thrown out from an airplane, above New York City, hoping nobody would steal any of it …
The reason why I am writing about this, is because if the analysis of how the attack was performed is accurate, I would like to encourage anyone wanting to perform a similar type of attack on Phosphorus Five to go for it. Simply put, because both Sephia Five and Sulphur Five guards against such types of attacks, out of the box, by default – In addition to literally a million other types of attacks of course.
Now of course, there exists no guarantees in security – But I am living to bet a kidney on, that neither Sephia Five, nor Sulphur Five, allows for neither SQL injection, nor cross site scripting!
However, there is an even more important point to this, which is the fact that I bet the Equifax were using proprietary and closed source systems to manage this data. If they on the other hand, had chosen to use a good Open Source alternative, they would probably still be in business a week from now. As of now, I guess we all know where they’re heading. Hint; I think it’s time to fire-sell your Equifax shares … 😉