June 20, 2025 • 35 mins
Although not in the top ten data breaches by people affected, the 2017 Equifax Data Breach showed us just how bad data leaking online can be when it comes because a huge corporation pays absolutely zero attention to cybersecurity. Join us this week as we discuss just how royally Equifax messed up, and also a little about the history of credit reporting in general.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:02):
Wall Street veteran Bernard Madoff has been arrested and
charged with running a $50 billion Ponzi scheme.
Congress wants to know what caused the Enron meltdown, and
while the collective rage currently is focused on low
comp, Tyco CEO Dennis Koslowski was convicted of looting
hundreds of millions of dollars.This is one of the biggest fraud
cases ever. Their president's a crook.
(00:25):
Well, I'm not a crook. Find out more on this week's
episode of White Collars, Red Hands.
When we talked about Facebook and Cambridge Analytica, we
mentioned that your data is one of the most expensive things
that you own, and it is the coalthat drives the fires of free to
use online sites. It's so valuable that people are
(00:48):
willing to steal it if they can.Of course, where the data is
stolen from makes a lot of difference.
If you hacked into, I don't know, Instagram and stole my,
like history, sure, I'd be embarrassed, but you'd be hard
pressed to ruin my life with it.If you hacked instead into a
(01:09):
company that held, I don't know,personal identifying
information, or PII for short, including my Social Security and
credit card numbers, then I'd bein for a larger world of pain.
It would be even worse if I personally did not do business
with the company that held all of this information and the
breach was caused directly by their incredible ineptitude.
(01:31):
So today we have an example of just that.
As we discussed the Equifax databreach scandal of 2017.
We'll find out what was stolen, how Equifax really dropped the
ball since they knew about the issue for years beforehand and
never fixed it, and find out thetrail of digital bread crumbs
from the crime and how it led toan enemy of the state on this
(01:53):
week's episode of White Collar'sRed Hands.
I remember when this happened. Well, it was only 8 years ago
Nina, so. Yeah, but I remember I was, I
was living in Japan and I had tofreeze my Equifax.
Which you can now do for free because of this scandal today.
So while not the biggest scandalthat's ever happened, not even
(02:15):
in the top 10 actually, it is definitely or at least the top
10 for data breaches by volume of people who were affected by
the data breach. This one is special because of
the information that was that was included, but it is also
special because it was really, they were so stupid about it.
(02:36):
So I, I think it, it highlights that they weren't just hacked,
they were hacked, but it's because they were, they were
dumb. But welcome back to another
episode of White College, Red Hands, everyone.
I'm Kashawn. And I'm Naina and today.
Like I said, we're talking aboutthe Equifax data breach scandal
of 2017. As many of you know, Equifax is
one of the big three credit reporting agencies or Cras here
(02:59):
in America along with Experian and Trained Union.
I'm an Equifax sun, an Experian rising, and a TransUnion moon.
And they all just mean you're aninsufferable asshole, which is
crazy. It's so spot on.
Oh my God, how did you know? Collectively, these three
companies hold credit reports onalmost every American citizen,
(03:20):
and that controls whether we canget extended lines of credit to
buy things that are becoming increasingly overpriced, like
houses, cars, or a dozen large size eggs.
Everything's too expensive. For those of you who don't know
the history of Cras or credit unions, it turns out that these
credit unions got their start bybeing little gossips back in the
(03:41):
1700s, when the first known organization for sharing credit
information was founded in London and dubbed the Society of
Guardians for the Protection of Trade Against Swindlers and
Sharpers. Of course it was that long.
People in London, man. And this is like wig high hats,
you know, this is, this is a bunch of merchant men in tights
and tricorn hats who would get together and just like talk shit
(04:04):
about who hadn't repaid loans that they took out, you know,
but also other stuff like whose wife was cheating on him, you
know, who, who is maybe a a bit of a, a bit of a fancy, you
know. So yes, they they would kind of
spread rumors about people for sure.
For a long while, these groups of merchants would pop up
(04:26):
everywhere and keep tabs on who was good for paying back loans
locally and just keep information on people who were
interested in taking lines of credit.
And but they didn't share information amongst each other.
They were local. They talked about who was there
and they didn't talk between towns.
There really wasn't a need to. People didn't move around.
Right. And also people really probably,
I'm assuming, weren't going to another town to get a loan.
(04:49):
Not usually, no. In 1899, two brothers from
Maryland had the dream of changing this.
Thanks guys. So Guy and Katter Wolford
started the Retail Credit Company in Atlanta, GA.
There they went door to door to the creditors in the area and
gathered information on people to publish a book titled The
(05:10):
Merchant's Guide that they wouldsell to companies so they could
flip through and they would knowIt was information on on
companies mostly about if they were good on paying back their
loans. They also started offering
individual credit reports for people for the first time to
companies that asked for it. So that was kind of
revolutionary. And this business model,
obviously they're around, it's abig Business Today.
(05:31):
It took off and by the 20s they had offices throughout America
and Canada. They also have held files on
millions of people at that time already and had even started
offering various forms of insurance and most of the
companies they reported their credit reports to were actually
to other insurance providers. They were providing reports on
people to insurance companies totell them if they should cover
(05:54):
them with their insurance. They eventually took the company
public in 1965, but at this point they were already coming
under fire for what was contained in those credit
reports. They would literally like when
they were generating these reports on people, they would
comb through newspapers and if there were clippings of you like
(06:15):
getting arrested for drunk driving or fighting with your
spouse or something evil like clapping when the plane landed,
the. Worst of all?
You know they would include those clippings like they cut it
out and put it in your file. This is when files were paper.
Yeah, yeah, yeah, yeah, yeah. It's the 20s.
They would even go around to your neighbors and collect
(06:38):
personal statements on the quality of your character.
In the credit report. Yeah, because it was mostly for
insurance. So they were like, like they it
was like a, it was a professional keep tabs on people
industry. This is crazy.
They were trying to generate as much information about everyone
as possible. They would disguise themselves
as like, I guess if the welcome wagon was like an actual thing
(07:01):
that just like a saying of thesepeople that would go around to
new people in town and like talkto them, welcome to the
neighborhood. They would pose as them or fund
them and infiltrate them and then learn about new people that
moved to the area to include them in the local credit
reports. So that's obviously, you know,
(07:25):
if you're, if you're getting allthis information about people.
Sometimes those files contained actual facts based in numbers,
but they also were known to contain multiple inaccuracies.
Yeah. I would assume.
And just rumors about people's, you know, sex life, marital
life, sexuality, race and political activities, all things
(07:49):
that would allow companies to unfairly discriminate against
you based on things you can't control, not just your payment
history, which led to unfair treatment of queer people and
people of color. You know, you could put a name
on an application, but now they would ask for a file and be
like, this person is, is gay and, or black or whatever.
And then insurance companies could then be like.
(08:11):
Be like, well, no, I'm not goingto cover.
Yeah, don't cover them. This was exposed publicly in the
1970s after the digitization of the RC CS records made it easier
to access credit reports and prompted the government to step
in. After Congress questioned credit
reporting agencies focusing heavily on RCC, they finally
(08:31):
passed the the Fair Credit Reporting Act in 1971.
That made it so the following things Consumers must be
notified if negative action is taken against them because of
the information in their credit files.
Consumers must be able to find out what is in their credit
files. They weren't able to know.
No, Oh my God, no. You didn't even have.
(08:52):
You weren't so like now. Now you have just Credit Karma
on your phone. Yeah, now, you know, they like
they need to provide you with like a weekly free access to
your credit report. So no, before they couldn't do
that before the Fair Credit Reporting Act in 1970.
One that's insane. Consumers must be able to
(09:12):
dispute inaccurate information and have it corrected or
deleted, something they couldn'tdo beforehand.
Outdated information, which is generally more than 7 to 10
years old for negative information, cannot be reported.
It's got to be taken out of the report.
Consumers must provide consent for employers to check their
credit reports. Consumers must have the option
to request to be excluded from lists for unsolicited credit and
(09:36):
insurance offers and insurance offers.
Consumers who appear on a list of prospects requested by a
lender must be extended a firm offer of credit.
And this was amongst a few otherthings, but those were some of
the highlights. This obviously though, came with
a lot of bad publicity for the RCC.
(09:57):
They they were so bad that they decided to change their name.
And in 1975, they became Equifaxas we know them today.
So either people actually didn'tcare that much about the
congressional hearings or the rebrand worked because Equifax
just kept getting bigger, as we know, expanding further to the
UK and acquiring new departmentsfor identity verification,
(10:19):
employment records, market research, just kind of
continually growing until 2017. Now they had the records of over
800 million people, including that personal identifying
information such as Social Security numbers, addresses,
credit card numbers, employment status and much more, a good
chunk of which was now going to be at risk.
(10:42):
So although the data breach occurred in 2017, the real story
begins two years before that. Equifax would perform internal
audits of systems to make sure that everything was a OK.
In 2015, they ran an internal audit of their cybersecurity
system, likely in response to the largest data breach of all
time. Remember I said this wasn't even
(11:02):
the top ten? Well, the largest data breach of
all time happened in 2013 when 3billion people had their emails
and passwords leaked when Yahoo was packed was.
Hacked. Oh my God.
That's the largest of all time. That's bad.
And by the way, Yahoo was also hacked one year later in 2014,
and another 500 million people had their data access.
(11:26):
Oh. My God, how many accounts did
they have total? I don't know.
Well, I think at this time in 2013.
Well, they were like the leader at that point.
They were the industry leader, so.
Oh, that's why they fell, right?Probably.
I I I'm assuming it's at least part of it.
Probably, but I don't remember I.
Mean I don't remember that, but that I was AI wouldn't.
(11:47):
I still have a Yahoo mail account and they suck.
It's where I send all the, it's my like, black hole that I send
everything to go to, to die. Yeah.
It's the, it's the shadow realm,you know?
So it's where I send you yeast. Grandpa.
There is a government agency, USCERT or US CERTS is what I'm
going to call it, that is responsible for gathering
information about potential cyberattack weaknesses and
(12:11):
letting people know about them. They disseminate the information
they use another very acronym heavy way of scoring these
vulnerabilities based on how badthey are called the common
vulnerability scoring system or CVSS, which assigns a number one
to 10, one being baby's first backdoor code vulnerability and
(12:31):
10 being a backdoor vulnerability the size of Sasha
Grey's. Equifax used these ratings to
place needed software patches into categories of critical,
high, medium and low priority. You could have just used the
number system. Don't know if you know that
Equifax totally fine, whatever. During that 2015 internal audit,
they found that Equifax had over1000 critical high and medium
(12:53):
level vulnerabilities that had not been patched and that
greater than 65% of those were more than 90 days.
Old. At the time that they did the
internal audit, which that's pretty bad because the current
policy for Equifax was that critical vulnerabilities should
be patched within 48 hours, highvulnerabilities should be
patched within 30 days, and medium vulnerabilities should be
(13:15):
patched within 90. They have 1000 of all of those
that are past 90. On top of that, patches were not
done automatically. They asked their IT teams to be
signed up for like push notifications from software
companies so that they would be notified about vulnerabilities
(13:35):
and software that they used. They were like, hey, make sure
if you're using a software to sign up for push notifications
for it, like, OK. The security team would also,
they would run scans on their system and then notify personnel
if vulnerabilities were found. But they would only patch the
systems if the scans showed the vulnerabilities, and they didn't
(13:55):
really have anything to verify that their scans were correct or
doing a good job at all. And this model of trusting the
scans and not proactively implementing patches was known
as the Honor system at Equifax. It is good to point out that
this is not recommended. Most places.
When they learn of a vulnerability, they just make
(14:16):
sure that every instance of thatsoftware that they have that has
the vulnerability is up to date.That makes sense.
They don't scan and be like wellI didn't find anything.
Oh well. You know, they, they proactively
go out and look, of course that leads to the next issue that
Equifax did not keep a detail ITasset inventory of either
hardware or software that they had.
(14:37):
So they were kind of like blind as to what software was running
on the machines on their network.
They didn't know what was downloaded and where and they
didn't even have a good idea of like where their actual physical
assets like the servers and and computers that they had out
necessarily were, which is crazyto think of that such a large
company is so bad at doing this stuff.
(14:58):
So if there was a vulnerability like I don't know, let's say a
Candy Crush, they couldn't accurately tell which of their
company issued phones had Candy Crush downloaded on it to go
implement the patch. So that's why they had to run
the scans because they didn't even know what was on their
stuff. And then on top of that they
couldn't verify that the scans were working properly and
reaching every device because they didn't know all the devices
(15:20):
they were trying to look for. Also because of this, when they
were patching vulnerabilities they didn't have a good idea
about which devices were affected were more critical.
So they might spend time prioritizing fixing the
vulnerability on some like random ass person's laptop when
it was actually present on a server that held a bunch of
people's. Information so they could have
(15:41):
just fixed it on the server instead of the laptop, but they
should have. Done it there first, yeah.
OK, but because it was just on the because if here's my
question, if they had fixed it on the server, would that cover
the issue on the laptop or wouldthey still have to fix the
laptop? No, if if there's any instance
of the software downloaded anywhere that has the bug in the
code, you have to. Explain wherever that software
(16:03):
is downloaded. Yeah, it's just that external
people are more likely to get into the server because the
server connects to the network then like someone's random
laptop, because then they would have to be looking for it on
someone's. Laptop.
Laptop. Yeah.
OK. That makes sense.
But because they didn't know where things were downloaded,
they might start fixing it on the laptop first.
Makes sense? All of this was discovered in
(16:24):
the 2015 audit. And you know, the leadership
they got together, they said, hey, let's fix all of this so
that we don't become the next Yahoo.
We'll implement automated systems to detect
vulnerabilities. We'll preemptively patch on top
of that, we'll put together an asset list.
We'll get it all settled out, guys.
And then they dragged their feethardcore and performed no follow
(16:47):
up audits, clapping themselves on the back and saying what a
good job they did, identifying the issues but then actually
solving none of them. Oh my.
God. So they put together this whole
plan and then, yeah, just no one.
Just didn't do anything. Yeah, just no one did anything
actually, which if you've ever worked in a corporate
environment. You wouldn't know that's how it
works. Yeah, you get that?
You're like, didn't we know all of these problems?
(17:08):
Didn't we have a plan to addressall of them?
They're like, kind of. They're like, yeah, but.
We just didn't we. Just didn't do it.
Didn't feel like it. Yeah, I dropped the ball on that
one. I don't know what to say.
One vulnerability that made its way through the cracks was for
an open source Java web application software.
Don't worry about the specifics.It helped make websites, that's
(17:29):
all you need to know, and it wascalled Apache Struts.
Apache had been aware of this vulnerability and the US cert
had labeled it a 10, which is the highest remember on their
scale, largely because there wascode floating around online with
detailed instructions of how to exploit the vulnerability.
(17:50):
So you didn't even need to be anexpert hacker, just like mildly
technologically literate and on a specific like 4 Chan page to
be able to use it for nefarious purposes.
Apache had developed and released a security patch for
the vulnerability so you could fix it as of March 7th, 2017.
The next day, the Equifax cybersecurity team received the
(18:11):
notice from US Cert and distributed it to 400 employees,
urging them to patch any instances of the affected Apache
Struts within 48 hours. They also discussed this
specific vulnerability in cybersecurity monthly meetings
in March and April of that year.Although later it was found out
that upper management did not regularly attend these meetings.
(18:32):
So later they were like, we didn't even know what was going
on. We didn't go to those meetings.
You're like, awesome. So they were aware, or at least
someone was, and supposedly fixing the issue.
But because they didn't have an exhaustive list of who actually
had the application, they failedto put everyone on that
distribution list. So it should have went to more
(18:53):
than 400 people. And the alert was actually not
sent out to at least one software developer who used the
application to build their online dispute portal.
So he never patched the issue. Additionally, there is some
evidence based on the FTC final report of the incident that
seems to simulate that seems to insinuate that no employee ever
(19:13):
started to patch the Struts vulnerability at any point until
after it was already exploited. Equifax ran scans but never
caught unpatched versions of thesoftware.
On top of that, they had less something called an SSL
certificate lapse on their online dispute portal server.
So the same server that was had the Apache Struts.
(19:33):
I don't fully understand what that is, and you don't really
need to, but the gist is that anSSL certificate enables
encryption between the server and someone using the website,
so it lets you know that your communication with the website
is protected. If you go to a website that has
this, you'll see a little lock in your in your URL bar so you
(19:54):
know that all of the informationyou're sharing with the server
is encrypted on the company side.
It lets them examine the encrypted traffic because they
can decrypt it then and examine the traffic that's going both
from their site to the user and from their user to the site.
(20:15):
Without it, Equifax would not beable to tell what encrypted
commands were being sent to their servers.
And this certificate was down for eight months.
They let it lapse for eight months.
Wow. So Oh no, I sure hope there were
no malicious encrypted commands being sent to their server
through their unpatched Struts back door that.
(20:36):
Would never happen. Of course not.
On July 29th, 2017, the Equifax team finally got around to
updating that SSL certificate insurprise.
Once they did, it actually started doing its job that.
Makes sense. That makes sense.
When they booted that thing up, it told them that they had some
(20:57):
traffic coming from their onlinedispute portal from an IP
address in China, a country where Equifax does not operate.
No, So they immediately blocked the IP address.
The next day, however, they found more suspicious traffic,
also from China, and they decided to take down the whole
(21:18):
server. Good idea.
After looking over the logs, Equifax discovered that IP
addresses first started accessing their server through
the vulnerability in the Apache Struts program on May 13th,
2017. That's two months after a patch
for the vulnerability had been announced and distributed.
(21:39):
This means that they had 78 daysof unfettered access to the
Equifax servers before they evercaught them.
Oh my God, that's so long. Yeah, whoa.
Oh my God, so many people are about to get fired.
Like. Or they should anyway.
They think it's long if you're like have access to servers for
like hours, so 70. 8 days is like they could run, they could
(22:03):
grab everything. 78 days is, is,is crazy.
It's very wild. After after the hackers
originally broke into the server, they immediately did not
have access to all of the personal identifying information
of Equifax customers. Those were locked behind, you
know, passwords and things. Equifax, however, kept
unencrypted usernames and passwords for its workers in a
(22:25):
data repository that they could access, and this allowed them to
log in using actual credential, actual credentials.
Also, due to the lack of two factor authentication, they
didn't have two factor authentication set up.
You know what's crazy? Equifax didn't have two factor
authentic 2 factor authentication set up, but the
(22:48):
protein powder I ordered does. Well, now everything does.
For the protein powder is crazy.Everything does.
So this helped them stay unnoticed, and they could access
information that contained all of that information that I
previously mentioned, Social Security numbers, credit card
numbers, addresses. The hackers would copy this
(23:09):
information in chunks to a smaller, separate archive.
And then from that archive, theycould download it to their
personal devices again in attempts to avoid detection.
If you're just like offloading abunch of data from these servers
that people shouldn't be accessing that much, it's going
to get noticed. And after 78 days, they've been
able to remove information of 143,000,000 Americans in
(23:31):
addition to 14,000,000 British and 8000 Canadian residents.
Wow. And this included the unredacted
credit card numbers of 209,000 Americans.
Oh my. God, I knew it was bad.
I didn't know it was this bad. Like, most of the of that one of
that, this number also got bumped up by like a few more
million, like 100 and 4700 and 48 million by the end of it.
(23:55):
Most of that was still bad stuff.
It was their name, Social Security numbers, addresses.
But yeah, 209,000 unredacted credit card numbers is crazy.
Yeah, it's bad. Two days after the attack, the
company's CEO, Richard Smith, Super original name, by the way,
man. Richard Smith.
I know you didn't choose it, butcome on man.
His mom and dad you were talkingto?
He was told about the breach, but Equifax did not immediately
(24:18):
notify the public or those affected by the leak until they
had supposedly identified every person impacted, which took six
weeks from when they originally discovered it.
Oh my God. And that was four months after
the information was originally accessed.
Oh my God, so much shit could have happened with their
(24:40):
information. Yeah, exactly.
They publicly announced the attacks on September 7th of that
year 2017 and immediately saw their stock drop by 13%.
Good reason this is because, andthe reason that they could do
this, so they could wait so long, is because there is no
national law stating when or even if companies have to tell
(25:03):
people that their data has been accessed on servers or that a
data breach has occurred. Instead, it is governed by a
state to state legislature. I'm pretty sure that all 50
states do have some law, but they're all different.
So there's this patchwork of regulations that hold more or
(25:23):
less stringent rules. Sometimes you have to do within
60 days, sometimes within 90 days.
I think California's just says without unreasonable delay, like
it just says that it doesn't actually provide a number.
That is kind of like up to. Yeah.
So it so it can make it a littlebit hard to follow.
And depending on where the company is located now, they
(25:43):
have to abide by different rules.
Of course, though, all of this could have been avoided if
Equifax had just properly controlled their cybersecurity
or even made changes when they identified the issues in 2015.
These were all exploits that were a direct result of problems
that they knew were already inherent in their cybersecurity
system, and they just decided not to do anything, which is
(26:05):
crazy. If you're wondering about what
happened to the other two of thebig three credit unions because
of the Apache Struts vulnerability, because they also
used Apache Struts, the answer would be a big fat nothing.
Of course, they had been doing kind of everything correctly and
had patched the software within days of the notice on all their
devices. Oh.
So they did the right thing. Yeah.
Well, and these hackers, like people were going online and
(26:27):
just like scanning for companiesthat were using this vulnerable
version of the software. So it's probably why it took two
months for them to finally find that Equifax was doing it, just
so it happened that they also had let that license lapse,
which means that they could access it for even longer and
not get caught. Just kind of a comedy of errors
on Equifax's part, honestly. Later that month, on September
(26:50):
26th, good old Richard Smith announced his retirement at the
ripe age of 57, getting out of there before he could face the
multiple lawsuits that were headed their way.
You know what? I don't blame them.
Hundreds of people affected by the breach individually sued
Equifax, winning personal awards.
But a large amount of money was given back to the victims when
Equifax settled with the FTC in July of 2019, agreeing to pay
(27:13):
$300 million into a fund to compensate them, in addition to
$275,000,000 in fines partially to the regions where they were
operating and just fines to the FTC and the government in
general. Additionally, in the UK, they
also paid a fine of £11 million for the affected British
residents in February of 2020. So three years later, 4 Chinese
(27:39):
citizens were indicted by the Department of Justice for
committing the attack on Equifax, and they were charged
with conspiracy to commit computer fraud, economic
espionage, and wire fraud, amongst others.
The American government claimed that these four were acting on
behalf of the Chinese government, gaining Intel on
American citizens. Of course, this claim has been
(27:59):
refuted by the Chinese government.
It is likely, though, that thesefour will ever face.
Trial unlikely. What did I say?
Likely. OK, but it is unlikely that
these four will ever face trial as their whereabouts are unknown
even to this day and they would likely need to be extradited to
the US from wherever they are. And China would have to.
(28:23):
Approve if they're If they're still in China, China would have
to. Approve.
And they're not going to. Especially now they're not going
to. No.
In addition to the mishandling of the situation in the
aftermath, 2 executives, former Chief Intelligence Officer Jung
Ying and manager Duhakar Reddy Bantu, were found guilty of
(28:44):
insider trading and sentenced tofour months in jail and eight
months home confinement, respectively.
For them, in the six weeks between when they learned about
the breach and announcing it publicly, it turns out these two
had been selling shares in the company because they anticipated
the drop. Oh good.
Nice. Nice.
Nice, so it's. There were some convictions
here. They went to they went to prison
(29:04):
for insider trading. Since the breach, the only
direct legislation created to address information protection
and credit unions has once againbeen the one that I mentioned
that allows customers to freeze your credit for free.
Now that was only possible as of2018 and in direct response to
this, but the American legislature is still not passed
(29:28):
any sweeping. Laws against it.
Legislation on yet regulations or practices related to data
breaches or data privacy. Even so, in the end, Equifax may
not have been the one committinga crime directly.
They were in part victims of badactors potentially working for
(29:49):
an enemy of the state. However, they were so negligent
in the basics of cybersecurity that I think we can victim blame
them here at least a little bit.On top of that, the information
stored about consumers and credit unions is usually done so
without direct interaction with the consumer.
Remember before you couldn't even see what they had on you.
(30:09):
But it isn't like you can opt out of your information being
there because as they'll tell you, the only thing worse than
bad credit is no credit. You will be gate kept out of
things that might be necessary for your survival, like a car if
you live somewhere where you need one, or things that are
directly necessary for survival like housing.
(30:32):
You know when I moved to the city I didn't I didn't even have
a good cosigner. My friend's parents had to
cosign on our. Your apartment.
On our apartment until I had twoyears of good paying history
'cause. I didn't even have a credit
'cause you moved here right after college.
Yeah, and I didn't have a creditcard, so I had no credit
basically. So it was bad.
(30:55):
So the fact that a company wouldbe so royally stupid with this
sensitive information is just infuriating.
So the only call to action I canmake is that the federal
government finally implements sweeping rules that require
immediate public notice of any data breach that could affect
consumers, and that they strengthen the penalties for
companies that are not doing their due diligence in regards
(31:17):
to keeping personal identifying information safe.
And honestly, we just need sweeping reform of online
privacy. This is not new technology.
We need to govern it like many other countries have.
Get on it, American lawmakers. And yeah, with that, that is the
story of Equifax. And not one of the largest data
(31:39):
breaches of all time, but definitely one of the most
infuriating to learn about. Yeah, no, it's super frustrating
because they knew what they were.
They knew they needed to fix stuff and then they just didn't
do it and they didn't care. By the way, Equifax is doing
fine. Yeah, they're fine.
Just. In case you were worried.
About Oh no, that like it's likethey've never been affected.
They're fine. They're making money hand over
(32:00):
fist. There's only three credit
reporting agencies that really matter in America, and they're.
Still, unfortunately one of them.
They make a lot of money, so they're not going anywhere.
If you'd like us to make a lot of if you'd like us to make a
lot of money and to not go anywhere.
I would like us to make a lot ofmoney.
We can segue into our, our, our,our beg for for you guys to do
(32:24):
stuff section. I'm sure it's your favorite.
And today we're begging for you to please leave a review.
If you want to support the show,you can write a review on Apple
Podcasts. Most of you are listening their
statistics show or you can just leave a star review either on
there or on Spotify. If you're on Spotify, you can
also see our faces. Hello everyone on Spotify and
also on YouTube at youtube.com/white collars, Red
(32:45):
Hands, you can watch our videos.We do that.
So hopefully you are watching them.
But if you can't support us by writing a review, leaving a
review, you can also like subscribe, share, whatever you
can do on whatever pod catch or mode you're listening on.
That'd be awesome. If you want an unfree way to
support us, you can also go ahead and check out our merch.
(33:06):
If you go to our website, whitecollartradehands.com, and
click on the button that says check out our merch, you can go
to our Dasher Restore and you'llbe able to buy all sorts of
accoutrement there with our one of two of our logos on it.
There's even variety. We did that for you.
You can also support us by connecting with us on social
(33:28):
media. You can also DM us on
there@facebook.com/white Collars, Red Hands X at White
Collars pod, Instagram at White Collars, under score, Red Hands,
and TikTok. We'd release teasers every week
for our episodes on TikTok at White Collars Red Hands.
You can also drop us a line through our e-mail,
whitecollarsredhands@gmail.com or once again, go to that
(33:51):
website and there's a contact usoption.
Either way, utilize that to suggest an episode for us.
We do a fancy minute episode every single season.
I think we did multiple this season.
We did, and yours. Could be next.
So please drop it there. Because it's actually not that
long until we start making our 20th season.
It is not so please get it in and who knows I might be moving.
(34:14):
I forgot to mention sorry we cancelled last week.
I had a big life update that happened.
Yeah. So I had to cancel last minute.
So thank you guys for still coming back.
Sorry for the week off. You know what I think that one
unplanned skip? Yeah, in five years, I think
(34:38):
it's. OK, we're very good about the
timeline, but yeah, so sorry we weren't here last week.
If that ruined your week, terribly sorry, but we're back
now, so everything's all right. And Speaking of, if you want to
support us, please support us bytelling a friend word of mouth.
You know, you had a whole week to think about how much you
loved us. How much you missed me?
(34:58):
You know, so just you, yeah. Fucked up, man.
I'm the one with. Boobs fucked up.
But yeah, please, please tell someone, shout it out loud,
write it in your will and bury it in a time capsule so they can
refind our show in 100 years when all of us are dead.
That's what I hope for. That's what I want.
(35:20):
And I think that's going to be it for today.
So thank you guys so much for listening.
We'll see you next week on another episode of White Collars
Red. Hands.
Wall Street veteran Bernard Madoff has been arrested and
charged with running a $50 billion Ponzi scheme.
Congress wants to know what caused the Enron meltdown, and
while the collective rage currently is focused on low
comp, Tyco CEO Dennis Koslowski was convicted of looting
hundreds of millions of dollars.This is one of the biggest fraud
cases ever. Their president's a crook.
(00:25):
Well, I'm not a crook. Find out more on this week's
episode of White Collars, Red Hands.
When we talked about Facebook and Cambridge Analytica, we
mentioned that your data is one of the most expensive things
that you own, and it is the coalthat drives the fires of free to
use online sites. It's so valuable that people are
(00:48):
willing to steal it if they can.Of course, where the data is
stolen from makes a lot of difference.
If you hacked into, I don't know, Instagram and stole my,
like history, sure, I'd be embarrassed, but you'd be hard
pressed to ruin my life with it.If you hacked instead into a
(01:09):
company that held, I don't know,personal identifying
information, or PII for short, including my Social Security and
credit card numbers, then I'd bein for a larger world of pain.
It would be even worse if I personally did not do business
with the company that held all of this information and the
breach was caused directly by their incredible ineptitude.
(01:31):
So today we have an example of just that.
As we discussed the Equifax databreach scandal of 2017.
We'll find out what was stolen, how Equifax really dropped the
ball since they knew about the issue for years beforehand and
never fixed it, and find out thetrail of digital bread crumbs
from the crime and how it led toan enemy of the state on this
(01:53):
week's episode of White Collar'sRed Hands.
I remember when this happened. Well, it was only 8 years ago
Nina, so. Yeah, but I remember I was, I
was living in Japan and I had tofreeze my Equifax.
Which you can now do for free because of this scandal today.
So while not the biggest scandalthat's ever happened, not even
(02:15):
in the top 10 actually, it is definitely or at least the top
10 for data breaches by volume of people who were affected by
the data breach. This one is special because of
the information that was that was included, but it is also
special because it was really, they were so stupid about it.
(02:36):
So I, I think it, it highlights that they weren't just hacked,
they were hacked, but it's because they were, they were
dumb. But welcome back to another
episode of White College, Red Hands, everyone.
I'm Kashawn. And I'm Naina and today.
Like I said, we're talking aboutthe Equifax data breach scandal
of 2017. As many of you know, Equifax is
one of the big three credit reporting agencies or Cras here
(02:59):
in America along with Experian and Trained Union.
I'm an Equifax sun, an Experian rising, and a TransUnion moon.
And they all just mean you're aninsufferable asshole, which is
crazy. It's so spot on.
Oh my God, how did you know? Collectively, these three
companies hold credit reports onalmost every American citizen,
(03:20):
and that controls whether we canget extended lines of credit to
buy things that are becoming increasingly overpriced, like
houses, cars, or a dozen large size eggs.
Everything's too expensive. For those of you who don't know
the history of Cras or credit unions, it turns out that these
credit unions got their start bybeing little gossips back in the
(03:41):
1700s, when the first known organization for sharing credit
information was founded in London and dubbed the Society of
Guardians for the Protection of Trade Against Swindlers and
Sharpers. Of course it was that long.
People in London, man. And this is like wig high hats,
you know, this is, this is a bunch of merchant men in tights
and tricorn hats who would get together and just like talk shit
(04:04):
about who hadn't repaid loans that they took out, you know,
but also other stuff like whose wife was cheating on him, you
know, who, who is maybe a a bit of a, a bit of a fancy, you
know. So yes, they they would kind of
spread rumors about people for sure.
For a long while, these groups of merchants would pop up
(04:26):
everywhere and keep tabs on who was good for paying back loans
locally and just keep information on people who were
interested in taking lines of credit.
And but they didn't share information amongst each other.
They were local. They talked about who was there
and they didn't talk between towns.
There really wasn't a need to. People didn't move around.
Right. And also people really probably,
I'm assuming, weren't going to another town to get a loan.
(04:49):
Not usually, no. In 1899, two brothers from
Maryland had the dream of changing this.
Thanks guys. So Guy and Katter Wolford
started the Retail Credit Company in Atlanta, GA.
There they went door to door to the creditors in the area and
gathered information on people to publish a book titled The
(05:10):
Merchant's Guide that they wouldsell to companies so they could
flip through and they would knowIt was information on on
companies mostly about if they were good on paying back their
loans. They also started offering
individual credit reports for people for the first time to
companies that asked for it. So that was kind of
revolutionary. And this business model,
obviously they're around, it's abig Business Today.
(05:31):
It took off and by the 20s they had offices throughout America
and Canada. They also have held files on
millions of people at that time already and had even started
offering various forms of insurance and most of the
companies they reported their credit reports to were actually
to other insurance providers. They were providing reports on
people to insurance companies totell them if they should cover
(05:54):
them with their insurance. They eventually took the company
public in 1965, but at this point they were already coming
under fire for what was contained in those credit
reports. They would literally like when
they were generating these reports on people, they would
comb through newspapers and if there were clippings of you like
(06:15):
getting arrested for drunk driving or fighting with your
spouse or something evil like clapping when the plane landed,
the. Worst of all?
You know they would include those clippings like they cut it
out and put it in your file. This is when files were paper.
Yeah, yeah, yeah, yeah, yeah. It's the 20s.
They would even go around to your neighbors and collect
(06:38):
personal statements on the quality of your character.
In the credit report. Yeah, because it was mostly for
insurance. So they were like, like they it
was like a, it was a professional keep tabs on people
industry. This is crazy.
They were trying to generate as much information about everyone
as possible. They would disguise themselves
as like, I guess if the welcome wagon was like an actual thing
(07:01):
that just like a saying of thesepeople that would go around to
new people in town and like talkto them, welcome to the
neighborhood. They would pose as them or fund
them and infiltrate them and then learn about new people that
moved to the area to include them in the local credit
reports. So that's obviously, you know,
(07:25):
if you're, if you're getting allthis information about people.
Sometimes those files contained actual facts based in numbers,
but they also were known to contain multiple inaccuracies.
Yeah. I would assume.
And just rumors about people's, you know, sex life, marital
life, sexuality, race and political activities, all things
(07:49):
that would allow companies to unfairly discriminate against
you based on things you can't control, not just your payment
history, which led to unfair treatment of queer people and
people of color. You know, you could put a name
on an application, but now they would ask for a file and be
like, this person is, is gay and, or black or whatever.
And then insurance companies could then be like.
(08:11):
Be like, well, no, I'm not goingto cover.
Yeah, don't cover them. This was exposed publicly in the
1970s after the digitization of the RC CS records made it easier
to access credit reports and prompted the government to step
in. After Congress questioned credit
reporting agencies focusing heavily on RCC, they finally
(08:31):
passed the the Fair Credit Reporting Act in 1971.
That made it so the following things Consumers must be
notified if negative action is taken against them because of
the information in their credit files.
Consumers must be able to find out what is in their credit
files. They weren't able to know.
No, Oh my God, no. You didn't even have.
(08:52):
You weren't so like now. Now you have just Credit Karma
on your phone. Yeah, now, you know, they like
they need to provide you with like a weekly free access to
your credit report. So no, before they couldn't do
that before the Fair Credit Reporting Act in 1970.
One that's insane. Consumers must be able to
(09:12):
dispute inaccurate information and have it corrected or
deleted, something they couldn'tdo beforehand.
Outdated information, which is generally more than 7 to 10
years old for negative information, cannot be reported.
It's got to be taken out of the report.
Consumers must provide consent for employers to check their
credit reports. Consumers must have the option
to request to be excluded from lists for unsolicited credit and
(09:36):
insurance offers and insurance offers.
Consumers who appear on a list of prospects requested by a
lender must be extended a firm offer of credit.
And this was amongst a few otherthings, but those were some of
the highlights. This obviously though, came with
a lot of bad publicity for the RCC.
(09:57):
They they were so bad that they decided to change their name.
And in 1975, they became Equifaxas we know them today.
So either people actually didn'tcare that much about the
congressional hearings or the rebrand worked because Equifax
just kept getting bigger, as we know, expanding further to the
UK and acquiring new departmentsfor identity verification,
(10:19):
employment records, market research, just kind of
continually growing until 2017. Now they had the records of over
800 million people, including that personal identifying
information such as Social Security numbers, addresses,
credit card numbers, employment status and much more, a good
chunk of which was now going to be at risk.
(10:42):
So although the data breach occurred in 2017, the real story
begins two years before that. Equifax would perform internal
audits of systems to make sure that everything was a OK.
In 2015, they ran an internal audit of their cybersecurity
system, likely in response to the largest data breach of all
time. Remember I said this wasn't even
(11:02):
the top ten? Well, the largest data breach of
all time happened in 2013 when 3billion people had their emails
and passwords leaked when Yahoo was packed was.
Hacked. Oh my God.
That's the largest of all time. That's bad.
And by the way, Yahoo was also hacked one year later in 2014,
and another 500 million people had their data access.
(11:26):
Oh. My God, how many accounts did
they have total? I don't know.
Well, I think at this time in 2013.
Well, they were like the leader at that point.
They were the industry leader, so.
Oh, that's why they fell, right?Probably.
I I I'm assuming it's at least part of it.
Probably, but I don't remember I.
Mean I don't remember that, but that I was AI wouldn't.
(11:47):
I still have a Yahoo mail account and they suck.
It's where I send all the, it's my like, black hole that I send
everything to go to, to die. Yeah.
It's the, it's the shadow realm,you know?
So it's where I send you yeast. Grandpa.
There is a government agency, USCERT or US CERTS is what I'm
going to call it, that is responsible for gathering
information about potential cyberattack weaknesses and
(12:11):
letting people know about them. They disseminate the information
they use another very acronym heavy way of scoring these
vulnerabilities based on how badthey are called the common
vulnerability scoring system or CVSS, which assigns a number one
to 10, one being baby's first backdoor code vulnerability and
(12:31):
10 being a backdoor vulnerability the size of Sasha
Grey's. Equifax used these ratings to
place needed software patches into categories of critical,
high, medium and low priority. You could have just used the
number system. Don't know if you know that
Equifax totally fine, whatever. During that 2015 internal audit,
they found that Equifax had over1000 critical high and medium
(12:53):
level vulnerabilities that had not been patched and that
greater than 65% of those were more than 90 days.
Old. At the time that they did the
internal audit, which that's pretty bad because the current
policy for Equifax was that critical vulnerabilities should
be patched within 48 hours, highvulnerabilities should be
patched within 30 days, and medium vulnerabilities should be
(13:15):
patched within 90. They have 1000 of all of those
that are past 90. On top of that, patches were not
done automatically. They asked their IT teams to be
signed up for like push notifications from software
companies so that they would be notified about vulnerabilities
(13:35):
and software that they used. They were like, hey, make sure
if you're using a software to sign up for push notifications
for it, like, OK. The security team would also,
they would run scans on their system and then notify personnel
if vulnerabilities were found. But they would only patch the
systems if the scans showed the vulnerabilities, and they didn't
(13:55):
really have anything to verify that their scans were correct or
doing a good job at all. And this model of trusting the
scans and not proactively implementing patches was known
as the Honor system at Equifax. It is good to point out that
this is not recommended. Most places.
When they learn of a vulnerability, they just make
(14:16):
sure that every instance of thatsoftware that they have that has
the vulnerability is up to date.That makes sense.
They don't scan and be like wellI didn't find anything.
Oh well. You know, they, they proactively
go out and look, of course that leads to the next issue that
Equifax did not keep a detail ITasset inventory of either
hardware or software that they had.
(14:37):
So they were kind of like blind as to what software was running
on the machines on their network.
They didn't know what was downloaded and where and they
didn't even have a good idea of like where their actual physical
assets like the servers and and computers that they had out
necessarily were, which is crazyto think of that such a large
company is so bad at doing this stuff.
(14:58):
So if there was a vulnerability like I don't know, let's say a
Candy Crush, they couldn't accurately tell which of their
company issued phones had Candy Crush downloaded on it to go
implement the patch. So that's why they had to run
the scans because they didn't even know what was on their
stuff. And then on top of that they
couldn't verify that the scans were working properly and
reaching every device because they didn't know all the devices
(15:20):
they were trying to look for. Also because of this, when they
were patching vulnerabilities they didn't have a good idea
about which devices were affected were more critical.
So they might spend time prioritizing fixing the
vulnerability on some like random ass person's laptop when
it was actually present on a server that held a bunch of
people's. Information so they could have
(15:41):
just fixed it on the server instead of the laptop, but they
should have. Done it there first, yeah.
OK, but because it was just on the because if here's my
question, if they had fixed it on the server, would that cover
the issue on the laptop or wouldthey still have to fix the
laptop? No, if if there's any instance
of the software downloaded anywhere that has the bug in the
code, you have to. Explain wherever that software
(16:03):
is downloaded. Yeah, it's just that external
people are more likely to get into the server because the
server connects to the network then like someone's random
laptop, because then they would have to be looking for it on
someone's. Laptop.
Laptop. Yeah.
OK. That makes sense.
But because they didn't know where things were downloaded,
they might start fixing it on the laptop first.
Makes sense? All of this was discovered in
(16:24):
the 2015 audit. And you know, the leadership
they got together, they said, hey, let's fix all of this so
that we don't become the next Yahoo.
We'll implement automated systems to detect
vulnerabilities. We'll preemptively patch on top
of that, we'll put together an asset list.
We'll get it all settled out, guys.
And then they dragged their feethardcore and performed no follow
(16:47):
up audits, clapping themselves on the back and saying what a
good job they did, identifying the issues but then actually
solving none of them. Oh my.
God. So they put together this whole
plan and then, yeah, just no one.
Just didn't do anything. Yeah, just no one did anything
actually, which if you've ever worked in a corporate
environment. You wouldn't know that's how it
works. Yeah, you get that?
You're like, didn't we know all of these problems?
(17:08):
Didn't we have a plan to addressall of them?
They're like, kind of. They're like, yeah, but.
We just didn't we. Just didn't do it.
Didn't feel like it. Yeah, I dropped the ball on that
one. I don't know what to say.
One vulnerability that made its way through the cracks was for
an open source Java web application software.
Don't worry about the specifics.It helped make websites, that's
(17:29):
all you need to know, and it wascalled Apache Struts.
Apache had been aware of this vulnerability and the US cert
had labeled it a 10, which is the highest remember on their
scale, largely because there wascode floating around online with
detailed instructions of how to exploit the vulnerability.
(17:50):
So you didn't even need to be anexpert hacker, just like mildly
technologically literate and on a specific like 4 Chan page to
be able to use it for nefarious purposes.
Apache had developed and released a security patch for
the vulnerability so you could fix it as of March 7th, 2017.
The next day, the Equifax cybersecurity team received the
(18:11):
notice from US Cert and distributed it to 400 employees,
urging them to patch any instances of the affected Apache
Struts within 48 hours. They also discussed this
specific vulnerability in cybersecurity monthly meetings
in March and April of that year.Although later it was found out
that upper management did not regularly attend these meetings.
(18:32):
So later they were like, we didn't even know what was going
on. We didn't go to those meetings.
You're like, awesome. So they were aware, or at least
someone was, and supposedly fixing the issue.
But because they didn't have an exhaustive list of who actually
had the application, they failedto put everyone on that
distribution list. So it should have went to more
(18:53):
than 400 people. And the alert was actually not
sent out to at least one software developer who used the
application to build their online dispute portal.
So he never patched the issue. Additionally, there is some
evidence based on the FTC final report of the incident that
seems to simulate that seems to insinuate that no employee ever
(19:13):
started to patch the Struts vulnerability at any point until
after it was already exploited. Equifax ran scans but never
caught unpatched versions of thesoftware.
On top of that, they had less something called an SSL
certificate lapse on their online dispute portal server.
So the same server that was had the Apache Struts.
(19:33):
I don't fully understand what that is, and you don't really
need to, but the gist is that anSSL certificate enables
encryption between the server and someone using the website,
so it lets you know that your communication with the website
is protected. If you go to a website that has
this, you'll see a little lock in your in your URL bar so you
(19:54):
know that all of the informationyou're sharing with the server
is encrypted on the company side.
It lets them examine the encrypted traffic because they
can decrypt it then and examine the traffic that's going both
from their site to the user and from their user to the site.
(20:15):
Without it, Equifax would not beable to tell what encrypted
commands were being sent to their servers.
And this certificate was down for eight months.
They let it lapse for eight months.
Wow. So Oh no, I sure hope there were
no malicious encrypted commands being sent to their server
through their unpatched Struts back door that.
(20:36):
Would never happen. Of course not.
On July 29th, 2017, the Equifax team finally got around to
updating that SSL certificate insurprise.
Once they did, it actually started doing its job that.
Makes sense. That makes sense.
When they booted that thing up, it told them that they had some
(20:57):
traffic coming from their onlinedispute portal from an IP
address in China, a country where Equifax does not operate.
No, So they immediately blocked the IP address.
The next day, however, they found more suspicious traffic,
also from China, and they decided to take down the whole
(21:18):
server. Good idea.
After looking over the logs, Equifax discovered that IP
addresses first started accessing their server through
the vulnerability in the Apache Struts program on May 13th,
2017. That's two months after a patch
for the vulnerability had been announced and distributed.
(21:39):
This means that they had 78 daysof unfettered access to the
Equifax servers before they evercaught them.
Oh my God, that's so long. Yeah, whoa.
Oh my God, so many people are about to get fired.
Like. Or they should anyway.
They think it's long if you're like have access to servers for
like hours, so 70. 8 days is like they could run, they could
(22:03):
grab everything. 78 days is, is,is crazy.
It's very wild. After after the hackers
originally broke into the server, they immediately did not
have access to all of the personal identifying information
of Equifax customers. Those were locked behind, you
know, passwords and things. Equifax, however, kept
unencrypted usernames and passwords for its workers in a
(22:25):
data repository that they could access, and this allowed them to
log in using actual credential, actual credentials.
Also, due to the lack of two factor authentication, they
didn't have two factor authentication set up.
You know what's crazy? Equifax didn't have two factor
authentic 2 factor authentication set up, but the
(22:48):
protein powder I ordered does. Well, now everything does.
For the protein powder is crazy.Everything does.
So this helped them stay unnoticed, and they could access
information that contained all of that information that I
previously mentioned, Social Security numbers, credit card
numbers, addresses. The hackers would copy this
(23:09):
information in chunks to a smaller, separate archive.
And then from that archive, theycould download it to their
personal devices again in attempts to avoid detection.
If you're just like offloading abunch of data from these servers
that people shouldn't be accessing that much, it's going
to get noticed. And after 78 days, they've been
able to remove information of 143,000,000 Americans in
(23:31):
addition to 14,000,000 British and 8000 Canadian residents.
Wow. And this included the unredacted
credit card numbers of 209,000 Americans.
Oh my. God, I knew it was bad.
I didn't know it was this bad. Like, most of the of that one of
that, this number also got bumped up by like a few more
million, like 100 and 4700 and 48 million by the end of it.
(23:55):
Most of that was still bad stuff.
It was their name, Social Security numbers, addresses.
But yeah, 209,000 unredacted credit card numbers is crazy.
Yeah, it's bad. Two days after the attack, the
company's CEO, Richard Smith, Super original name, by the way,
man. Richard Smith.
I know you didn't choose it, butcome on man.
His mom and dad you were talkingto?
He was told about the breach, but Equifax did not immediately
(24:18):
notify the public or those affected by the leak until they
had supposedly identified every person impacted, which took six
weeks from when they originally discovered it.
Oh my God. And that was four months after
the information was originally accessed.
Oh my God, so much shit could have happened with their
(24:40):
information. Yeah, exactly.
They publicly announced the attacks on September 7th of that
year 2017 and immediately saw their stock drop by 13%.
Good reason this is because, andthe reason that they could do
this, so they could wait so long, is because there is no
national law stating when or even if companies have to tell
(25:03):
people that their data has been accessed on servers or that a
data breach has occurred. Instead, it is governed by a
state to state legislature. I'm pretty sure that all 50
states do have some law, but they're all different.
So there's this patchwork of regulations that hold more or
(25:23):
less stringent rules. Sometimes you have to do within
60 days, sometimes within 90 days.
I think California's just says without unreasonable delay, like
it just says that it doesn't actually provide a number.
That is kind of like up to. Yeah.
So it so it can make it a littlebit hard to follow.
And depending on where the company is located now, they
(25:43):
have to abide by different rules.
Of course, though, all of this could have been avoided if
Equifax had just properly controlled their cybersecurity
or even made changes when they identified the issues in 2015.
These were all exploits that were a direct result of problems
that they knew were already inherent in their cybersecurity
system, and they just decided not to do anything, which is
(26:05):
crazy. If you're wondering about what
happened to the other two of thebig three credit unions because
of the Apache Struts vulnerability, because they also
used Apache Struts, the answer would be a big fat nothing.
Of course, they had been doing kind of everything correctly and
had patched the software within days of the notice on all their
devices. Oh.
So they did the right thing. Yeah.
Well, and these hackers, like people were going online and
(26:27):
just like scanning for companiesthat were using this vulnerable
version of the software. So it's probably why it took two
months for them to finally find that Equifax was doing it, just
so it happened that they also had let that license lapse,
which means that they could access it for even longer and
not get caught. Just kind of a comedy of errors
on Equifax's part, honestly. Later that month, on September
(26:50):
26th, good old Richard Smith announced his retirement at the
ripe age of 57, getting out of there before he could face the
multiple lawsuits that were headed their way.
You know what? I don't blame them.
Hundreds of people affected by the breach individually sued
Equifax, winning personal awards.
But a large amount of money was given back to the victims when
Equifax settled with the FTC in July of 2019, agreeing to pay
(27:13):
$300 million into a fund to compensate them, in addition to
$275,000,000 in fines partially to the regions where they were
operating and just fines to the FTC and the government in
general. Additionally, in the UK, they
also paid a fine of £11 million for the affected British
residents in February of 2020. So three years later, 4 Chinese
(27:39):
citizens were indicted by the Department of Justice for
committing the attack on Equifax, and they were charged
with conspiracy to commit computer fraud, economic
espionage, and wire fraud, amongst others.
The American government claimed that these four were acting on
behalf of the Chinese government, gaining Intel on
American citizens. Of course, this claim has been
(27:59):
refuted by the Chinese government.
It is likely, though, that thesefour will ever face.
Trial unlikely. What did I say?
Likely. OK, but it is unlikely that
these four will ever face trial as their whereabouts are unknown
even to this day and they would likely need to be extradited to
the US from wherever they are. And China would have to.
(28:23):
Approve if they're If they're still in China, China would have
to. Approve.
And they're not going to. Especially now they're not going
to. No.
In addition to the mishandling of the situation in the
aftermath, 2 executives, former Chief Intelligence Officer Jung
Ying and manager Duhakar Reddy Bantu, were found guilty of
(28:44):
insider trading and sentenced tofour months in jail and eight
months home confinement, respectively.
For them, in the six weeks between when they learned about
the breach and announcing it publicly, it turns out these two
had been selling shares in the company because they anticipated
the drop. Oh good.
Nice. Nice.
Nice, so it's. There were some convictions
here. They went to they went to prison
(29:04):
for insider trading. Since the breach, the only
direct legislation created to address information protection
and credit unions has once againbeen the one that I mentioned
that allows customers to freeze your credit for free.
Now that was only possible as of2018 and in direct response to
this, but the American legislature is still not passed
(29:28):
any sweeping. Laws against it.
Legislation on yet regulations or practices related to data
breaches or data privacy. Even so, in the end, Equifax may
not have been the one committinga crime directly.
They were in part victims of badactors potentially working for
(29:49):
an enemy of the state. However, they were so negligent
in the basics of cybersecurity that I think we can victim blame
them here at least a little bit.On top of that, the information
stored about consumers and credit unions is usually done so
without direct interaction with the consumer.
Remember before you couldn't even see what they had on you.
(30:09):
But it isn't like you can opt out of your information being
there because as they'll tell you, the only thing worse than
bad credit is no credit. You will be gate kept out of
things that might be necessary for your survival, like a car if
you live somewhere where you need one, or things that are
directly necessary for survival like housing.
(30:32):
You know when I moved to the city I didn't I didn't even have
a good cosigner. My friend's parents had to
cosign on our. Your apartment.
On our apartment until I had twoyears of good paying history
'cause. I didn't even have a credit
'cause you moved here right after college.
Yeah, and I didn't have a creditcard, so I had no credit
basically. So it was bad.
(30:55):
So the fact that a company wouldbe so royally stupid with this
sensitive information is just infuriating.
So the only call to action I canmake is that the federal
government finally implements sweeping rules that require
immediate public notice of any data breach that could affect
consumers, and that they strengthen the penalties for
companies that are not doing their due diligence in regards
(31:17):
to keeping personal identifying information safe.
And honestly, we just need sweeping reform of online
privacy. This is not new technology.
We need to govern it like many other countries have.
Get on it, American lawmakers. And yeah, with that, that is the
story of Equifax. And not one of the largest data
(31:39):
breaches of all time, but definitely one of the most
infuriating to learn about. Yeah, no, it's super frustrating
because they knew what they were.
They knew they needed to fix stuff and then they just didn't
do it and they didn't care. By the way, Equifax is doing
fine. Yeah, they're fine.
Just. In case you were worried.
About Oh no, that like it's likethey've never been affected.
They're fine. They're making money hand over
(32:00):
fist. There's only three credit
reporting agencies that really matter in America, and they're.
Still, unfortunately one of them.
They make a lot of money, so they're not going anywhere.
If you'd like us to make a lot of if you'd like us to make a
lot of money and to not go anywhere.
I would like us to make a lot ofmoney.
We can segue into our, our, our,our beg for for you guys to do
(32:24):
stuff section. I'm sure it's your favorite.
And today we're begging for you to please leave a review.
If you want to support the show,you can write a review on Apple
Podcasts. Most of you are listening their
statistics show or you can just leave a star review either on
there or on Spotify. If you're on Spotify, you can
also see our faces. Hello everyone on Spotify and
also on YouTube at youtube.com/white collars, Red
(32:45):
Hands, you can watch our videos.We do that.
So hopefully you are watching them.
But if you can't support us by writing a review, leaving a
review, you can also like subscribe, share, whatever you
can do on whatever pod catch or mode you're listening on.
That'd be awesome. If you want an unfree way to
support us, you can also go ahead and check out our merch.
(33:06):
If you go to our website, whitecollartradehands.com, and
click on the button that says check out our merch, you can go
to our Dasher Restore and you'llbe able to buy all sorts of
accoutrement there with our one of two of our logos on it.
There's even variety. We did that for you.
You can also support us by connecting with us on social
(33:28):
media. You can also DM us on
there@facebook.com/white Collars, Red Hands X at White
Collars pod, Instagram at White Collars, under score, Red Hands,
and TikTok. We'd release teasers every week
for our episodes on TikTok at White Collars Red Hands.
You can also drop us a line through our e-mail,
whitecollarsredhands@gmail.com or once again, go to that
(33:51):
website and there's a contact usoption.
Either way, utilize that to suggest an episode for us.
We do a fancy minute episode every single season.
I think we did multiple this season.
We did, and yours. Could be next.
So please drop it there. Because it's actually not that
long until we start making our 20th season.
It is not so please get it in and who knows I might be moving.
(34:14):
I forgot to mention sorry we cancelled last week.
I had a big life update that happened.
Yeah. So I had to cancel last minute.
So thank you guys for still coming back.
Sorry for the week off. You know what I think that one
unplanned skip? Yeah, in five years, I think
(34:38):
it's. OK, we're very good about the
timeline, but yeah, so sorry we weren't here last week.
If that ruined your week, terribly sorry, but we're back
now, so everything's all right. And Speaking of, if you want to
support us, please support us bytelling a friend word of mouth.
You know, you had a whole week to think about how much you
loved us. How much you missed me?
(34:58):
You know, so just you, yeah. Fucked up, man.
I'm the one with. Boobs fucked up.
But yeah, please, please tell someone, shout it out loud,
write it in your will and bury it in a time capsule so they can
refind our show in 100 years when all of us are dead.
That's what I hope for. That's what I want.
(35:20):
And I think that's going to be it for today.
So thank you guys so much for listening.
We'll see you next week on another episode of White Collars
Red. Hands.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!