In this Real News Network interview, white collar criminologist Bill Black discusses the state of play with respect to legal investigations, both federal and state, into the Equifax data-breach fiasco.
SHARMINI PERIES: It’s the Real News Network. I’m Sharmini Peries coming to you from Baltimore. The Equifax data breach that we reported on two weeks ago with Bill Black, where the company revealed that hackers might have stolen financial records of 143 million US citizens. This is just the US. It gets far worse if you look at it worldwide. In July, things got, of course, much worse and we didn’t really know very much about what was going on and what Equifax knew and now, meanwhile, several government agencies such as the Consumer Financial Protection Agency, the Federal Trade Commission and at least 34 state attorney generals offices have all opened investigations into the Equifax data breach.
The first state to launch a lawsuit against Equifax is Massachusetts and on Tuesday, the Massachusetts attorney general charged Equifax with not having upgraded the security for its website, though it knew about its vulnerability as early as March. Now joining us to discuss all of this is Bill Black. We have him back. Bill is a white collar criminologist, associate professor of economics and law at the University of Missouri,Kansas City, and the author of the book, The Best Way to Rob a Bank is to Own One”. So good to have you back here, Bill.
BILL BLACK: Thank you.
SHARMINI PERIES: So Bill, give us a rundown of what has happened when and how did all of this lead to the charges that’s been laid against Equifax from Massachusetts.
BILL BLACK: Well there have been a large number of developments. We may not be able to cover them all, but the big ones are revealed perhaps best in the Massachusetts attorney general complaint that was just filed yesterday, at least as we’re talking, that explains the nature of how the breach occurred, and so it turns out that the vulnerability was in an open source software used by Equifax, and this vulnerability was discovered in March of this year. When it was discovered, and it was discovered and reported to the volunteers that run this particular open source software called Apache Struts, they found both that it was very serious, that a significant number of breaches were occurring and they immediately notified the community of the vulnerability, and very quickly developed a patch for this.
So this is all by early to mid-March of this year. The warning went out. Equifax has admitted that it got the warning, knew about it, and did not apply the patch. Because they did not apply the patch and did not increase security in a way that would find people accessing through this known vulnerability, they still say that the hack began in May and persisted through basically the last days in July, and then they’re still saying that they then, they Equifax, then awaited another basically six weeks to warn us that this had occurred and this wasn’t for any tactical reason to protect us because they were doing something secret that was going to help us. No, it was so that they could in fact get their PR campaign and try to convert it into a profit center that we talked about in the last interview on this subject. The myriad ways in which they tried to make money off the victims.
SHARMINI PERIES: Right, and Bill, back then you called this scandal a 10 out of a 10 scandal. Now what do you call it?
BILL BLACK: Well that’s what I … I was actually quoting experts in the field and indeed there’s something called the common vulnerability scoring system that rates vulnerabilities and contemporaneously this was given the rating of 10.0. I’m reading from the Massachusetts complaint against Equifax: “The highest possible severity score on either scale.” The notice stated the attack based on the vulnerability, “allows unauthorized disclosure of information, would be low in complexity to accomplish,” in other words, almost anybody could use this to breach it, “and would not require the attacker to provide authentication, for example, a username and password to exploit the vulnerability,” and the notice documented over 20 other website resources so that you could fix the problem. Now another thing that has happened since last we talked-
SHARMINI PERIES: What is the reason? Why would Equifax not want to apply a patch and why would they not do it, because you would think they want to protect their data and their company?
BILL BLACK: Yeah. No, there’s no good business reason at all. Period, end of story, full stop. Since we last talked, two senior executives have had to walk the plank. One was the chief security officer and the other was the chief information officer, and these are the two obvious folks that, as we said, Equifax has admitted that it knew of the vulnerability. If you’re the chief information officer of Equifax or the security officer, you are online every day, multiple times a day, looking for these kinds of breaches, and if you see them, you instantly go to higher order defenses and you look desperately …
You’ve got, in this case, Apache Struts on the line saying, “Are you working on a patch? When will it be available? Do we have to do anything to be able to implement it immediately once it comes out?” Etc, etc, etc, that’s what you would do. Now it turns out the chief security officer, her degree is in music. These folks … I can’t even think of some incredibly nefarious reason executives would do this deliberately. This one does appear to be incompetence, but you would have to go on a scale not of one to ten but one to several billion and these folks would top out that scale, just the utter indifference to us.
One of the things the Massachusetts complaint stresses, which we talked about briefly last time, is there was nothing we could do to protect ourselves from what Equifax was doing. We’re not customers. We didn’t authorize them to have this confidential information about us. This is an outrageous system in which other people can take our private information that is vital to keeping all kinds of things secure, and we’re just talking about money here. There are other scams that actually physically harm people when they get this kind of information and Equifax thinks that we don’t really need to change the system at all. It loves the system.
Now Massachusetts could do this, but it is only Congress that can fundamentally change this insane system and where even today … So you look at the Massachusetts attorney general site, and it says, “What should you do now that you’ve been a victim?” It says, “Well, you could put a freeze,” but then it explains if you do this you also can’t get new loans and such in a number of instances, so that’s a terrible remedy, just an absolutely terribly remedy. They say that you should, they again being the Massachusetts attorney general, and I’m not making fun of them. Their advice is actually good, but it shows how insane the system is. They say, “You should rush to file your taxes before the frauds do, because if the frauds do, they may get your refund before you can,” and such. What kind of world is it where that has to be our remedy that we have to get in a race with the frauds on filing our tax returns?
SHARMINI PERIES: Right. Bill, there are some very basic questions coming through. Obviously people are so upset about what’s going on out there and some of this seems so abstract to people. So, let’s get to some basics here. How does Equifax gather the information they have on us?
BILL BLACK: In a bunch of different ways. Equifax is not a single business, so the thing that we know it best for, of course, is the credit scores, and of course, we are not the customers. The credit scores, the customers of Equifax and its two sister organizations are lenders in those circumstances and it’s not used just in lending, it’s also used by insurance companies wherever state statutes don’t prohibit it. So, that’s the big line of work, and that’s the one where they get the most information, they get the information from the entities loaning money to us, not from us. They get it from merchants and they get it from banks and such.
As I said, this is much scarier in broad things. We’re going to see scandal after scandal because they have information, for example, and they will sell this information to any bank in the world at a pretty low price as to whether at 2 am you’re buying porn, and you can see what fun politicians will have leaking that information against their opponents and such. You may get charged, by the way, a higher interest rate if you read porn and such and you buy it with a credit card information, so that’s another world they’re in.
They’re in a world of verification as well. When, for example, you forget your password and such. So many people, many businesses hire Equifax to provide that kind of service, and when they do that, they get another whole source of information. There sometimes we might actually be a customer, but usually we’re not. Then they have all kinds of other enterprises where they do basically data mining. This is the stuff that’s really valuable to them is they try to figure out what makes you tick as a consumer, and that information. By the way, that is one of the things that made Walmart very rich. They were among the very first large enterprise to exploit the data mining capacity because they were simply so big and their, the scanning system, they figured out, could be turned and made into a massive data mining system.
SHARMINI PERIES: Bill, does Equifax have a relationship with collection agencies?
BILL BLACK: Well, certainly they get information from the collection agencies. They’ll have information on people’s residences and such, and if the collection agencies have difficulty finding you they can also get information on, of course, where basically you’re operating from because they see your credit card trail.
SHARMINI PERIES: All right, and one question from Adam Mustafa from Facebook. “How do you check if you are affected?”
BILL BLACK: That is one of the additional scandals in all of this. Again, what kind of crazy system where they are completely, they, Equifax, are completely at fault. You are not at fault in any possible way, and then the onus is put entirely on you to find out that you’re a victim. They won’t even tell you that they’ve screwed you up. That’s nuts. That should be an absolute statutory requirement and the requirement that they should notify you should be very quick, not six weeks after they discover a breach. So Equifax has supposedly established this system that you can email into them, but what you get back is “Maybe.” It’s outrageous. It’s outrageous on dimension after dimension after dimension. It’s the gift that keeps on giving. Equifax finds constant new ways to make people outraged because they act outrageously.
SHARMINI PERIES: All right, and we have a question here from Beverly Dycor from Facebook asks, “How do we protect our social security numbers?”
BILL BLACK: You can’t. That’s the point.
SHARMINI PERIES: All right, and another one from Tim Powers from Facebook. He asks, “Who did the hack?”
BILL BLACK: We don’t know.
SHARMINI PERIES: All right. Chris Anderson from Facebook also, “Was this breach by a nation, state, actor or a criminal syndicate?” I guess the answer to that is also we don’t know?
BILL BLACK: We don’t know, but let me say something more general: These are the good old days because what the thieves that break in haven’t yet created the networks to do is a way that they can instantly auction this information for large amounts of money because they are in parallel. The people that buy the information are prepared to make hundreds of thousands of purchases using our information, and that’s technically doable now. Once they complete that nexus, then the amount of money they get for committing these breaches will go from the tens of thousands of dollars to the hundreds of millions of dollars and many of these huge breaches are not in fact followed by identity theft of really large numbers of people but that’s, again, they will fix that. They will develop the technology, well, again, apply the technology, technology already exists, so that they can do this and when the financial incentive, when you can get tens to hundreds of millions of dollars by committing these breaches, of course it’s going to become, it will draw thousands of very skilled people into trying to do exactly that.
SHARMINI PERIES: Right, and Bill, give us a sense of how we could possibly detect on our credit card bills or our bank accounts or whatever if there is suspicious activity. So are we to now check these documents to make sure that there isn’t a suspicious activities?
BILL BLACK: Yeah, now that’s the one where I would differ from the Massachusetts attorney general recommendation list. It isn’t that the things on it are wrong, it’s that they don’t put both of the things you’ve said, which are actually the single most important things you should do and you should do anyway, and you should have done it long before these breaches anyway. How do you figure out? Well, most people can remember in the last 30 days did they in fact buy $2,000 worth of photographic equipment and such. So it’s usually not hard if you do have the discipline. Just look through each of the entries on your credit cards and then look at your bank statements for withdrawals in particular of course that don’t make sense or checks where, “Wait a minute? I wasn’t dealing with that person.” Those are good protections that you should do anyway.
SHARMINI PERIES: Bill, last question from Evanne Katrina, who asks, “If people are trying to confirm whether their data is vulnerable and if they’re checking, are they unknowingly consenting to not pursue a civil action against the company?”
BILL BLACK: Not now, but originally Equifax set up its system in a way that might have led, well, was designed, you could say it more strongly, was designed to lead to wide scale unintended renouncement of your constitutional rights to sue them. And again, that was of course utterly outrageous that, and just again, they’re completely in the wrong. We are completely not in the wrong, and the idea that they would then seek to exploit us rather than help us for something where they did everything wrong is a true demonstration that we’re missing it. I have not seen a single news report about the chief security officer and the chief information officer resigning that says, “Wait a minute. Why isn’t the CEO resigning? Who picked the chief security officer? Who picked the chief information officer? Who developed this outrageous strategy? Who created a culture where they wouldn’t fix known vulnerabilities with patches that essentially cost them essentially nothing to do?”
Somebody created this organization, and it’s the CEO and it’s the board. And there should be, the CEO should have been gone months ago, as soon as this was known. He created one of the worst corporate cultures in the history and the board needs to be cleaned up as well because they’re obviously not functioning at all. So again, this is the cynical stuff of the CEO, I mean the sacrificial victims, clearly they’ve screwed up. I’m not saying that they shouldn’t go, but it’s an attempt to distract attention from the deficiencies of the CEO.
SHARMINI PERIES: All right, Bill. There are so many more questions than we can’t answer today, and I’m wondering if you would come back and we would do this again, which is people can get their questions lined up, have them ready to send in and we would have another Q&A session with you?
BILL BLACK: Yeah. We can even tell them in advance.
SHARMINI PERIES: This time we could do that.
BILL BLACK: A particular date and such, and they could be prepared for all that. That’d be great.
SHARMINI PERIES: All right. Let’s do that. I thank you so much for joining us today, Bill.
BILL BLACK: Thank you.
SHARMINI PERIES: And thank you for joining us here on The Real News Network.