There’s lots of juicy details about the Equifax hack in a story published today by Bloomberg. It makes the strongest case yet that the massive heist of American SSNs was probably pulled off by a nation-state. That’s likely true about the huge theft of federal employee data back in 2015, also, so it’s not a surprise.
One thing has been gnawing at me from the beginning about Equifax, however, and it should be gnawing at you, too: Why would anyone, anywhere, have access to 143 million Social Security numbers?
What business use would there ever be at a place like Equifax to access a database like that, or to access various data files and put them together?
The answer is: There isn’t one.
Equifax was never going to put money into each of our Social Security “accounts.” It should never have even contemplated something like a mass mailing to every America that required our SSNs. CEO Richard Smith was never going home at night and reading a “book” of American personal identification just to understand his business from a holistic point of view.
Nope. I can’t think of a reason. Well, except laziness and arrogance.
Bloomberg’s story provides food for thought on this count. It cites a LinkedIn post by Steve VanWieren, an executive who left Equifax in January 2012.
“It bothered me how much access just about any employee had to the personally identifiable attributes. I would see printed credit files sitting near shredders, and I would hear people speaking about specific cases, speaking aloud consumer’s personally identifiable information,” the post reads. VanWieren was describing incidents at least five years old, as he left the firm in 2012. Still, they clearly paint the same picture I am.
Too many privileges!
One basic premise of modern security is limiting employees to only those resources they need to do their jobs. And when those jobs are over, the access must be cut off. For example, desktop support doesn’t need access to human resource files, unless there’s a specific problem — and when there is, access to salary data, etc., should be as limited and temporary as possible. Access permitted on a need-to-know basis, and no more.
Managing privileges is annoying, but it works. Morey Haber, vice president of technology at security firm Beyond Trust, recently told me that fully 94 percent of vulnerabilities require administrative rights on targeted machines. So, no admin rights, no problem.
Back to Equifax. Who ever created an architecture that would allow anyone to peek at, let alone remove, 143 million SSNs? What account had the rights to do that? Why?
BeyondTrust recently tied up a bunch of security principles in a tidy narrative it called “Five Deadly Sins that Increase the Risks of a Data Breach.” It includes Envy, Pride, Ignorance, and Apathy. But I suspect the real blame for the Equifax hack is the first sin:
Greedy people, in the security sense, need access to as much data and resources as they can get. And when they get it, they don’t want to give it up. In the tech world, privileges are like the old workplace concept of “turf.” Heaven help someone trying to get a worker to give up tech turf.
I asked Haber about the role of greed in the Equifax case. He speculated that one could imagine a marketing use for pulling together that massive Equifax database, but even then, that data should be obfuscated immediately.
“Obviously, (someone) had to have full access to all that data,” he said. “There was no reason to.”
And now, a hacker — perhaps even a nation-state — has access to all that data. Forever.
VanWieren’s comments pretty much make the case here. Clearly, a wide selection of employees had access to far more than “need-to-know” data. It was standard operating procedure.
Your workplace is probably like this, too. Greed is common, but despite what you may have heard in the movies, it’s not good. Why is that? In part, Haber said, it’s because employees react very emotionally to having their network privileges restricted, and even worse to having them revoked.
“(It can be) like taking away someone’s guns,” he said. Tech workers are used to having admin rights and “Doing what I want to do.”
The time for accommodating such greed is over, he warned.
“We live in a different set of times now,” he said. “We have to rethink how to be safe.”