back to article Credit reference agencies faulted for poor patching

Experian and Annual Credit Report.com – an organization set up by Equifax, Experian and Transunion to meet US consumer finance regulations – left themselves exposed to a serious vulnerability in Apache Struts earlier this year. The security shortcoming raises important questions following the disclosure of a mega-breach at …

  1. ma1010
    Flame

    If Experian failed to patch...

    ...then I hope they get their hind legs sued off. I'm one of the poor buggers whose info is now public domain thanks to them. What kind of security people do these idiots have working for them? I heard that they hired a security firm AFTER they were penetrated. WTF?

    You folks in the EU are lucky with the new data protection laws coming over there. If we had those laws here, and they were in effect now, Experian would likely be going bankrupt, as it deserves if it was penetrated due to a known, but unpatched vulnerability.

    1. sanmigueelbeer

      Re: If Experian failed to patch...

      If we had those laws here, and they were in effect now, Experian would likely be going bankrupt

      Laws in the US makes it easy (very, very easy) to do a "phoenix": They shut down the named business and resurrect with a new name even if the premises remained the same.

      I suspect Experian is seriously contemplating doing exactly that if their stocks tank.

      What is needed is a more stringent form of "security breach" disclosure. The time frame to announce a security breach should be in months or years (like Yahoo!). Security breaches must be announced to the public in a matter of days after the breach, regardless of "ongoing investigation". Gets more relevant when the impact involves personal information.

      1. DryBones

        Re: If Experian failed to patch...

        Needs to be harder to recover / transfer the assets after folding the business.

      2. just_me

        Re: If Experian failed to patch...

        --snark on--

        They need to hold off announcing it because they need to check with multiple 3 letter organizations to make sure that they did not do the hack to obtain information (that they are not supposed to have), for which they don't have a warrant for (because they have no right to the info, no probable cause and therefore would not be able to obtain a warrant). It also give time for those same 3 letter organizations to organize a cover up of the break so it looks like nothing happened (even though they got caught with their fingers in the proverbial cookie jar).

        --snark off--

    2. Anonymous Coward
      Anonymous Coward

      Re: If Experian failed to patch...

      Experian or Equifax? Experian did have a data breach of c15m records back in 2015, this latest effort is Equifax.

      Experian plc is an Irish listed company, but the track record of the Irish government (eg on tax) suggests they'll not be subject to too much plain from future data protection laws in their home country. The British government don't seem in any hurry to deliver savage kickings over data protection, either. Only if they manage to lose French or German citizens data, then Experian and others might then find that they get a beating they remember.

  2. macaroo

    Damage control takes time to organize. Also it gave management time to sell their stock.

  3. 0laf
    FAIL

    What's new? Big supplier/company fails to invest in development. Sits on it's products and services as long as possible to avoid paying for development. Then running around like headless chickens at the point they get caught out.

    I had an uncomfortable conversation with a supplier just yesterday when we discovered a 12yr old vulnerability in their product. Their initial response being 'we've no plans to fix' and 'WE don't think it's a risk'.

    Same shit different day.

  4. Anonymous Coward
    Anonymous Coward

    Cashless

    We all know how easily bank and commercial systems can be penetrated and frauds committed. It seems the convenience factor of the cashless society is for the benefit of the fraudsters. With this data I could be left literally cashless.

    Lets have a cash only day to show our discontent every month. The retailers will soon complain to the banks when they lose sales after you refuse to pay by any other method and explain why. This includes refusing to use any form of online shopping. That would be truly disruptive.

    Does anyone have a suitable date to propose?

    1. Fatman
      Joke

      Re: Cashless

      <quote>Does anyone have a suitable date to propose?</quote>

      In another article on El-Reg, I proposed """Black Friday""" (for obvious reasons).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon