As details of the Equifax massive spill of personal, sensitive information on 143 million people mostly in the United States emerge, it's hard to come to any other conclusion that the company didn't have the technical competence to hold the data it did.

First, the hackers didn't have to work very hard to siphon off the credit reporting company's databases. They were able to use an easily exploitable vulnerability in a framework called Apache Struts, that is used to build web apps.

By easy I mean the attackers were able to issue system commands to the Equifax server remotely without anyone noticing, thanks to the software bug.

That particular bug had security vendors and systems administrators in full panic mode at the beginning of March, because bad people were already using it all over the internet. Equifax claims it saw the reports about the bug and started patching their computers against it.

That's a strange statement because at the same time, Equifax says it didn't spot until the last day of July this year that its systems had been broken into using that same vulnerability.


Oh, and whoever rummaged through its servers did so for a month and half prior to the break-in being discovered.

After the hack was revealed, Equifax managed to shoot itself in the other foot by mishandling the very feature that was meant to protect people's credit records and personal details from being accessed by random people.

Its credit freeze mechanism used date and time stamps as the personal identification numbers for applicants. Such PINs are of course dead simple to guess and Equifax had to scramble to change them to more random ones.

Victims, regulators and politicians are up in arms about the huge data breach and understandably so: among other things, the information stolen can be abused for identity theft which can ruin people's lives.

People already worried about the May-July data breach won't be happy to hear that there was earlier hack in March this year that we're still waiting for the full details on. There's no doubt that Equifax will suffer consequences for the hack. Its chief information and security officers have left, and lawyers are circling Equifax smelling lucrative class action lawsuits.

That's ambulance at the bottom of the cliff stuff which isn't much good for people whose private information is now traded on the dark web for profit.

Equifax won't be the last massive data breach either. I've been told to expect details in under a week of another leak that will make Equifax look tiny.

It's a safe bet that the new hack will be down to a rather obvious technical fumble that should never have happened, but which did. We can't really protect ourselves against that.


IT company Sun Microsystems is now gone but its co-founder Scott McNealy was right when he in 1999 said "you have zero privacy anyway; get over it".

Don't think McNealy imagined an immediate future where people's privacy is at the mercy of incompetents running increasingly powerful technology though.