Equifax announced to the world last week that 143 million of their customers personal information was compromised. It also transpires that data belonging to up to 44 million British consumers were feared to be a part of the hack.

There are a few things which are disastrous and downright comical with this breach.

Zero day or no zero day...

There is quite a lot of conflicting reports on how Equifax was compromised. They all seem to agree that it was a Struts vulnerability. What isn’t clear though is which one. If Equifax were toppled via CVE-2017-9805, then you have to put your hands up and say that this was unfortunate for them, due to it only being discovered in September, well after the attack which was suspected to have happened in May this year. I have always been unpleasantly surprised with how old and outdated Equifax’s customer facing portals are though, and it wouldn’t surprise me if the back-end was reflected the front end. Therefore it would be more likely for it to be an earlier Struts vulnerability that was used. Only time will tell!

UK not important enough?

Secondly, Equifax has tried to provide their customers with a way of checking to see if their credentials had been compromised via www.equifaxsecurity2017.com, which asks for two pieces of information. These being your email address, and a social security number. As the UK customers do not have a social security number, they have been left unable to check if their information is in the list of compromised credentials. Poor show Equifax.

Don't worry, here's some more "protection".

And to top it all off, Equifax has offered those affected, a free 1 year subscription to their identity protection product. I’ll let you pick out the immense irony in that statement and I have a feeling there will be more customers leaving than taking up that offer – and I’m one of them.