US company Equifax is under the spotlight after losing data of nearly half the US population.

What Happened

Equifax is one of the three largest American credit agencies.  It gathers information about you — without you even knowing — from credit card companies, banks, and other lenders.   Equifax use this information to score people for credit applications.

Equifax revealed that a data breach meant about 143 million US consumers and around 400,000 British and Canadian residents have had personal details exposed.  The personal information included names, social security numbers, birth dates, addresses and driver’s license numbers.  About 209,000 consumer’s credit card numbers were stolen as well.

The firm took six weeks to make the discovery public after first learning of a problem.  Meanwhile three company executives sold nearly $2m (£1.5m) worth of shares in the company in the interim, consequently making this both a technical and a PR failure.

How did such a large security regulated company get hit?

Its another example of falling behind on server patch management.

According to a statement published by Equifax on Sep. 13, the vulnerability was in a popular open-source software package called Apache Struts (a programming framework for building web applications in Java).  A patch for the vulnerability was released in March but was it was not applied and hackers exploited the bug to break into its server two months later.

In another incident Equifax may have been breeched in Argentina where an online employee tool used in the country could be accessed by typing “admin” as both a login and password.  This gave access to records that included thousands of customers’ national identity numbers.

Lessons they have now learned:

  1. apply security patches regularly
  2. alert authorities in good time, the longer you leave it, the worse it looks
  3. don’t use easy passwords