How Equifax, Fire Eye & The Darknet Threw Oil On The Breach Fire
As far as data breaches go, this one stinks of lies and extortion, happily I don’t need to tell you what happened, others do that better than I can.
*Disclaimer : This is an opinion piece.
I am not going to write about the inherent flaws with tying your entire financial identity to a social security number that we cannot protect, or even try to raise your eyebrows about the unprecedented size of the breach.
You are not here to read about how Equifax completely bungled their public response, despite having more than two months to properly prepare for it.
You are probably not here to read about how Equifax have a long history of bad cybersecurity practice and failing to fix reported vulnerabilities.
Who Is On Fire?
You came to find out who poured oil on the fire, you came to find out who is going to get burned and who will be sacrificed for the greater good.
I don't blame you, it's the only angle in this story that really interested me too, if only because we have all seen this movie so many times before.
What we have not seen before though is the lies and extortion surrounding this story that are acting as a catalyst to make this story burn brighter.
Lets start with our first red flag.
You Are Their Product, Not Their Priority
Lets ignore the fact that Equifax knew that they had an obligation to notify those affected in a timely manner if their personal details were exposed.
Equifax first discovered the breach in late May or early July, but waited more than two months to notify their customers, the site they are using to notify others about the breach (equifaxsecurity2017.com) was first registered in August, but the contents of the site were not uploaded until September.
There were very clearly in no rush at all to notify the worst affected.
When follow Equifax’s advice to sign up to their (free for 12 months) credit monitoring service in order to protect yourself from the consequences of the breach, you are unknowingly signing away your right to sue them because of the deeply unethical arbitration clause they snook into the TOS.
After the outrage, it looks like they snook in an opt out too.
I actually think this whole new website is nothing more than an attempt to get as many of their ‘customers’ to waive their rights to sue, it doesn't really appear to do anything else even when you make up names and numbers.
Even worse than this, they seem to be actively trying to profit from the fear caused by the data breach to get people who have been affected to sign up to their Credit Lock service or by charging them upto $20 for a credit freeze.
If you add all of this up, it becomes pretty clear that the hundreds of millions of people affected by the data breach are not their customers (you are their product) or their immediate priority/concern in any way.
Lies And Insider Trading?
Three very senior executives at Equifax, their (ex?) Chief Financial Officer John Gamble, their President of Information Systems Joseph Loughran and a Divisional President Rodolfo Ploder all sold millions worth of shares in a sale that wasn’t agreed with the SEC, just before the notification came.
Where before all three had Linkedin profiles, now they no longer exist and to make matters worse, all three are saying they had no idea about the breach before they sold their shares, despite being so high ranking.
I have no idea why they think deleting their profile helps, its cached anyway and just makes them all look so much more guilty, like they are hiding.
Personally I hope the new investigation into their insider trading will send them all to jail (if they are guilty) for at least a short time, if only because somebody has to be burned at the stake for this whole heap of mess.
My money is on President of Information Systems Joseph Loughran.
My theory is that a whole lot of worms are going to come out of this can and these guys knew it, cashing out their shares while the going was still good.
It’s a bold move, lets see how it plays out for them.
What Are Fire Eye & Team Mandiant Up To?
The internet spotted Brandan Schondorfer, an employee of Fire Eye publicly registering Equihax.com before the official notification went out.
Brandan is on Team Mandiant, who are ‘owned and operated’ by Fire Eye and who were brought in by Equifax to investigate the breach.
Being that these guys were the cybersecurity team who were supposed to be investigating the breach and that they are owned by Fire Eye who were supposed to be protecting Equifax, this domain registration makes sense.
We feel that Brandan was just performing a rearguard action, buying up all the domains that others may use to mock Equifax for the breach, he isn’t on fire, but he was sloppy and is probably being mocked at work by his peers.
But is that all Mandiant and Fire Eye are doing though? Who knows.
The Extortion Of Equifax
We have no real idea of who the culprits behind this attack are, suspiciously more than two months after the attack and the same day of the public notification, the stolen data was put up for sale on the darknet.
What is very curious is that the people behind it seem to want to hand the data back to Equifax in return for 600 bitcoins (approx. $3 Million).
They say they are responding only to emails from Equifax employees and their stated reason for doing so is because of the Equifax executives who sold $3 million dollars worth of shares using insider trading.
If they don't get paid, they say they will publish the whole database at that domain by September the 15th, but thats unlikely to happen in my view.
This darknet site raises a whole lot of questions though, why did they not sell the data sooner and why have we not seen the data appear for sale on the darknet markets, why do they only want to speak with Equifax?
There is something deeply fishy about this whole thing, why are the perpetrators only willing to provide samples of the data they hold to Equifax employees and nobody else? Why not just sell the data on the open market?
I think this smells like a classic psyops campaign, but under whose control?
Some say it’s a hoax, but that's just speculation really.
The timing is too coincidental and this is not how criminal darknet operators with the skills to exfiltrate that data would monetize their haul, the whole thing stinks of somebody teaching somebody else a lesson because they can.
We have not even started the state vs non state conversation yet.
*** UPDATE : If this story interests you, check out my follow up story.
