If you have a credit card or an internet connection, you are probably well aware of the Equifax security breach that exposed personal information belonging to 143 million customers in the U.S., Canada, and the U.K. Shares fell 18 percent on Friday, the most in almost two decades.
Consumers were instructed to check whether they had been breached by entering the last digits of their social security numbers. But as many on Twitter pointed out, the system was flawed, either instructing users to come back on a later date, or throwing back a generic error when customers put in false information.
Like most massive data breaches, consumers have already considered legal action, filing a class-action lawsuit that alleges Equifax was lax with information security. But Equifax has figured out a loophole: if you check your information on its website, you waive your rights to arbitration.
The number of victims makes the Equifax breach one of the largest in history.
The company does not have the best track record when it comes to security. Interestingly, Equifax has publicly talked about the money it has spent on preventing zero-day attacks, but if fell on an unpatched web application.
Other lax security practices at the company include storing information in plaintext.
The vulnerability was almost a decade-old, according to researchers. Quartz reports that the exploited vulnerability "was in a popular open-source software package called Apache Struts, which is a programming framework for building web applications in Java."
A journalist from The Daily Beast pointed to several security mishaps in Equifax's history, including unpatched website vulnerabilities.
Security pundits argue that the Equifax is one of "many organizations [that] are just not incentivized enough to make changes because there has been little fear of financial liability."
Perhaps more troubling to consumers than its lax security practices is Equifax's apparent disdain for its customers.
"Most organizations affected by hacks and leaks have treated the matter with great seriousness and care, understanding that their reputations were on the line. But whether intentionally or not, Equifax appears to have leaned into the new malaise, treating this massive breach with the bureaucratic apathy one might expect from a big, faceless credit-reporting agency—a company everyone must use, but no one chooses to."