Frank Abagnale, an FBI cybersecurity specialist and identity fraud expert, told CRN that the massive breach at credit reporting agency Equifax is a simple case of a company failing to patch and update critical infrastructure.
"The breach was caused because Equifax didn't do what they were supposed to do," said Abagnale, who has consulted with the FBI on most of the major cybersecurity breaches in the last 15 years including Equifax. "They didn't update their technology. They didn't fix their patches. Their sloppiness caused a hacker to access the data. So they were negligent."
Equifax, for its part, has blamed what it has called a "U.S. website application vulnerability" for the breach of 145 million consumers personal information and also the breach of the credit card numbers for approximately 209,000 US consumers.
The breach resulted in what the credit monitoring company has called certain dispute documents with personal information of 182,000 US consumers.
Abagnale said for a company the size of Equifax not to "be keeping their technology up to date is absurd."
In response to Abagnale's criticism, Equifax told CRN that it has been "transparent and comprehensive" in its reporting on the scope of the breach.
"We continue to remain focused on strengthening security," the company said in the statement provided to CRN. "We have taken a number of steps to improve our data security infrastructure such as hardening our networks, changing our procedures to require “closed loop” confirmation when software patches are applied, rolling out new vulnerability scanning tools, and increasing accountability mechanisms for our security and IT teams. Our mission is to rebuild trust with consumers."
Abagnale, the teenage check forger turned FBI agent who was popularized in the film "Catch Me If You Can," called the Equifax breach the worst he has ever seen. "This is your name, social security number, date of birth," said Abagnale. "If I can become you it is only limited to my imagination what I can do as you."
Equifax has said the breach occurred from mid-May through July 2017. "In those two or three months that the hacker was in those systems they should have caught that," said Abagnale, confirming he was consulted on the breach by the FBI. "But they didn't. Again it was their negligence that caused that breach to occur. Now you have a lot of people who have had their identities stolen."
Abagnale said he expects the final number of Americans impacted by the breach will rise significantly. "Companies always come in with a low number first and eventually you find out it is a lot higher than that," he said.