Monday, September 18, 2017

Equifax

The Equifax data breach was made possible because no one at Equifax patched a weakness in a software module for more than two months after a patch became available. Was it laziness? Was it incompetence? Was it both?

Meanwhile, Equifax Argentina just discovered another security vulnerability  unrelated to the recent major breach. They discovered it was possible to log into a restricted section of their website using “admin” for the login. A child would know better than to use “admin” for any login exposed to the internet. Again, laziness and/or incompetence?

IT professionals who have the responsibility to guard our personal data often seem to ignore basic rules of data security. How do I know? Go to this page and look at the list of data breaches. And remember, these are the major breaches. Then come back and tell me we don’t have a serious problem.

It’s possible for a hacker to break security using a weakness that only the hacker knows about. The IT staff can be forgiven for not preventing that happening. After all, it’s not their job to find security flaws in a vendor’s product. But to allow a hacker to break security by using a known security flaw for which a patch is available is inexcusable. IT professionals who don’t do their job to protect millions of us should lose the right to work in that profession. It’s the only way we, the public, can protect ourselves from “professionals” who refuse to, or don’t know how to, do their job properly.

No comments: