The year 2017 was marked by what could be easily called the fall of an empire. Equifax, one of the largest actors in the credit data business, was deeply breached, affecting millions of people around the world. Personal data of at least 143 million people was stolen: Social Security numbers, dates of birth and addresses, all “personally identifiable information”, or PII. A group of hackers, using highly sophisticated tools, had a whole summer to extract databases, design tools, analyze data, and avoid any detection by the Equifax security team. In less than three months, a group of people –whose motives and actions are still being investigated– were able to settle deeply into several computer systems of a company that everyone assumed safe.

The ramifications behind the violent theft of personal data extend far beyond. Millions of people having their data compromised and exposed end up paying the consequences of security problems, specific to databases, frameworks, and applications. The data becomes a gold mine for scammers, who use that information to commit more crimes.

Besides that is the legal problem of the use of our personal data, which tried to be regulated in the US with a law introduced to the Senate in 2019, which has not yet been debated.

Three years after the breach, insecurity regarding the fate of the personal data of millions of people is still lingering. There are several tools available to know if our data was stolen or not, but the uncertainty about whether the data will be used to commit crimes cannot be denied.

That is why cases like Equifax, a breach that can still happen in the future with any other entity that stores our data, allow us to understand the big picture. Analyzing the breach step by step, we can protect and prevent another one, now from both sides: consumers, and those who store our data. 

The origins of data

Our personally identifiable information (PII), or what we normally define as PII, has been extended to more and more things over time. What originally was just your Social Security Number or email address, is now your IP address, the biometrics of your face, and your geolocation. Regulations such as the GDPR in Europe have broadened that spectrum with the intention of protecting our data as broadly as possible. However, even with regulations in place, it’s probable that our data will be stolen en masse in one way or another.

A part of the information we provide to organizations is mandatory, but we give it willingly. We must give our Social Security Number to our bank to request a credit, for example. Several entities, public and private, need our personal data to function properly. Nonetheless, data has levels of importance: your email address receiving spam is not the same as someone posing as you to commit fraud using your SSN.

At the same time, there is data that we unintentionally provide. Social networks –in particular Facebook but extensive to many of the platforms we use– hide powerful biometric analysis engines. Many health entities store our medical data, also considered important, without our express authorization. In Equifax’s case, the credit company and its competitors (primarily Experian and TransUnion) have the law in their favor. The current US law gives them the power to store your date of birth, Social Security number, driver’s license number, employment and purchase history, credit card details, and a bunch of other sensitive data.

With that information in their hands, Equifax and its competitors can get a general idea of ​​our credit landscape: how much can we pay, that is. Those companies then sell that information to financial institutions in order to determine our credit value. This information is given to Equifax because we live in a society based on capital, where ordinary citizens use financial instruments, credit cards and loans, and the institutions behind those products require a centralized credit check. Equifax did not knock on our door to ask for our data: they collected it, and saved it to sell it to the highest bidder. This is important for two reasons:

1. The data that we unintentionally provide is not our responsibility.
2. Voluntary data can be safeguarded or denied, if possible.

On one hand, any person, entity or service that is responsible for our data must take charge of all eventualities within the framework stipulated by the law of each country, and the use of each platform. An example could be the use of our biometric data for criminal profiling, which requires regulation and definition. This is especially important in cases where the training of neural networks or the detection of suspects is done with data that at first glance is public –such as photos on our social networks– but that after further investigation ends up being private biometric data.

On the other hand, as citizens, it’s also our responsibility to have strict control over the data we disclose. We have to proactively prevent that our data, which we voluntarily disclose, is used to commit crimes. If someone asks us for our PII, we have the right to safeguard it, to know what they will be used for, and to deny it if we believe that our privacy may be breached.

The Equifax data breach, in short

Having defined what was lost in the Equifax data breach, it’s time to visualize what happened in broad terms.

Most studies about the subject pinpoint the responsibility of the first breach on a vulnerability in a popular enterprise backend software called Apache Struts. According to an article published by Bloomberg, it was Nike Zheng, a Chinese cybersecurity investigator, who discovered the vulnerability. He then reported it to Apache, and the company posted a fix on March 6 on its site. However, in less than 24 hours that information was already on popular hacking sites, which led to the community taking advantage of the vulnerability. Four days later, an attacker found a vulnerable machine in Atlanta, and the rest is history.

The chain reaction allowed hackers to take advantage of multiple security issues at Equifax. CSO puts it in context: “Like plane crashes, major infosec disasters are typically the result of multiple failures”. The sum of errors include, but is not limited to:

• The attackers used the vulnerability described above, which had already been disclosed but had not been patched on a multitude of company computers.
• The attackers entered a computer that served as a server for a web portal, and were able to access the rest of the infrastructure due to poor segmentation between them.
• Usernames and passwords for users and accounts were stored in plain text.
• One of the key encryption certificates in one of the security tools being used had not been renewed, allowing attackers to exfiltrate encrypted information for months.
• The gap was not disclosed by executives, which knew the consequences and even sold shares of the company.

What happened to the data?

This is where the story becomes something of a mystery. After almost all major gaps it’s possible to find the stolen data on the dark web, being sold to the highest bidder. However, the Equifax breach data, contrary to expectations, was never released to the public. 

It instead ended up on the hard drives of actors much more interested in espionage than theft. An investigation by the US government, whose results were only divulged recently, revealed the hackers were part of a Chinese military cell, which has used the stolen data to profile important people in companies and government. Such profiling would allow them –according to various theories– to identify officers in financial trouble to blackmail or bribe them, with the intent to facilitate espionage. 

Another precedent supports this theory: a New York Times investigation links the cyberattack on the Marriott hotel chain to the same effort by the Chinese government to create a financial database of politicians, businessmen and key people for profiling purposes, extortion and blackmail.

But what really happened to the Equifax data? Did it appear publicly? It was traded? According to an investigation published on CNBC, the Equifax data is “The city of Atlantis or the Holy Grail”: impossible to find. One of the researchers, who spent nearly a year and a half searching the dark web for clues about the whereabouts of the data, stated that the content of the breach was never traded. In those cases, hackers usually bet on speed: the faster they can sell illegally obtained databases, the less likely they are to be captured or that the stolen institutions will render the data useless. That is why the breached data is considered to be in the hands of the hackers who stole it or private actors such as those already mentioned in the Chinese government.

Of course, there are examples to the contrary. In the site Have I Been Pwned there is a list with dozens of data breaches, including the Yahoo breach that occurred in 2013, and whose data was sold for about $300,000 on the dark web to at least three malicious actors, two of them scammers. Another example is Tumblr, which also suffered a breach where 65 million emails and passwords were stolen, to be subsequently sold on the dark web.

What did we learn about the Equifax data breach?

Although the ramifications were not completely disastrous for the affected users, breaches such as this one allows us to pay attention to several points related to data security and privacy.

Personally identifiable information is valuable, and must be protected at all costs

Even if we are constantly redefining what is PII, personal data must be treated with the care it deserves. This goes many ways, from the user himself choosing what information to disclose, to governments pushing adequate legislation in order to protect our data from hackers and malicious actors.

Important data must be fragmented and encrypted

The classification and fragmentation of personal data in all organizations that handle it must be a key issue. It’s a step that a lot of CISO consider tedious and bureaucratic, but that allows deep control. For example, a lot of personal data could be organized into properly inventoried layers: customer data, confidential company data, and public data. In this way, a hacker with access to a web server is prevented from stealing the entire cake, instead of just a piece.

The same goes for encryption. Data hierarchy and inventory allows us to assign different levels of data protection, and to assign responsibilities for public and private keys to users and parts of the organization that need it.

If a breach occurs, report it to your users as soon as you can

This point remains a legally gray area due to the unwillingness to legislate firmly regarding data privacy. However, it should be a moral imperative to communicate to users quickly in the event of a major breach, especially if it involves personally identifiable information.

In most cases –as it was shown in the Equifax breach– all those days you think you’re “winning” by not communicating, transform into suspicious practices such as influence peddling or information concealment, which are punishable by law.

One of the most underrated aspects of work, at least before the quarantine, was the office space itself. Our modern offices have every amenity you can think of – complex coffee machines, high-quality desks and chairs, blazing fast internet, and cubicle walls to separate you from your nosey coworkers. Sadly, we won’t return to that anytime soon, and our homes aren’t quite the same (at least mine isn’t). Most of our remote work is now being done in sofas, dining rooms, and mattresses. Of course, they are comfortable enough, but are they capable of sustained use without becoming a health hazard for us?

A lot of us have been working from home for years, and we know the deal: having comfortable and useful amenities in our workplace can improve our quality of life and be beneficial to our productivity and health in the long run. Needless to say, having those amenities at home is no easy task. You need space, such as a dedicated office room or by repurposing a couple of square feet of your living room. You also need money to acquire gadgets and having them delivered to your house (we don’t condone going into stores right now).

Below, you will find a broad guide on furniture, accessories and gadgets designed to transition to a healthy home office experience. We won’t make specific product recommendations, so as with every guide on the internet, take everything you see here with a grain of salt and look around for options.

A desk

Are you working on your couch right now, or sitting in a dining chair, being interrupted by your family at lunch and dinner time? I’ve been there too many times (I still do). News flash: it’s not healthy. Couches are good for a break, but they aren’t places to do productive work. Plus, your back will give you a hard time in the long run.

Having a desk is positive in a lot of ways. It gives you a specific space to do work and be productive. In most cases, it has enough space for your laptop, a mouse and keyboard, a second screen, and most of your work equipment (unless you do design or architecture, in which case good luck trying to find space for everything). It looks way more professional, too.

Just set it in a quiet, well-lit place, and get to work. Next, you will need a place to sit, which leads to…

A comfy chair

This is the cornerstone of a healthy home office. In my first months as a freelancer, I used to work sitting on a –if you pardon my french– crappy dining chair. My back hated it so much I had to go to the doctor, and the upper and lower back pain it caused still haunts me.

If you take just one piece of advice from this article, I hope it’s this: get a good chair. Your entire body will thank you for it. If you’re able, don’t skimp on it and invest in an ergonomic chair – there are several options available on the market. If you’re not ready to make that investment or saving money for something else on this list, you can choose a cheaper option. Just follow this advice when shopping for a new one:

The backrest should cover your entire back. A perfect backrest even covers your head, and it’s totally adjustable. The most important adjustment is the lumbar support: it should follow the line of your spine to prevent sciatica, a painful and crippling condition. If your chair doesn’t have lumbar adjustments, there are back pillows that can supplement it.

It should have a height adjustment. A good office chair should let you rest your arms in 90º, parallel to the desk. It should also let you rest both feet comfortably on the ground. There are options with modifiable armrests, but for most chairs, a simple height adjustment is recommended.

The fabric should be breathable, without sacrificing comfort. There is a lot to be said about fabrics and materials, but in my personal experience, I tend to favor cheap faux leather over a mesh chair, especially for the bottom part. A mesh chair may be breathable, but no mesh can beat a good, old-fashioned cushion.

A second monitor

Our digital lives are based on multitasking, and the office is no stranger to this reality. Ten browser tabs, several other applications (i.e. Slack), a music player, and team comms open may be too much for a single screen. And of course, hunching over to a laptop screen may be disastrous for your neck. The solution? A second screen, even if you already had one (because you’re using a desktop PC).

There are quite a few alternatives out there, so the only recommendation we can make is to choose a monitor that has a good pixel density (also known as PPI or pixels per inch) relative to the resolution it supports. A good PPI range is between 95 and 100-105 PPI. The more PPI a monitor has, the smaller and denser things will look on the screen, and vice versa.

Just remember to buy the right adaptor (or the right cable) to plug it to your computer, though.

A mouse and keyboard (if you use a laptop)

Because your hands need to be healthy, too. Several tendon and muscle afflictions can be avoided by using ergonomic peripherals, and even if they aren’t ergonomic, it surely is an improvement over a laptop keyboard and touchpad.

A mouse and keyboard also let you organize your workplace better – paired with a second screen and a laptop stand, you can have a comfortable and spacious setup, and lower the risk of tendinitis, carpal tunnel syndrome, and a bunch of other afflictions.

A UPS

A power surge or outage is pretty bad news: your appliances may fail or short circuit, and you may lose a lot of work with a sudden loss of energy. An uninterrupted power supply (UPS) is a device that provides a couple more minutes of juice in case of a power disruption and may give you time to save your work or sustain an internet connection.

A common UPS uses batteries and acts as an intermediary between your house’s electrical outlets and your devices, protecting them in case of a surge and starting near-instantaneously in the case of a power outage. A word of advice, though: UPSs are not cheap, so plan accordingly.

If persistence is not your deal, just having a power strip with surge protection is a must-have.

A good audio experience

I want to delve a little deeper into three alternatives that I think are healthy and for the most part, convenient.

Headphones

Our home office environment is not always lonely, and most times our meetings and calls will end up bothering your partner, roommate, or waking up your very loud sibling. It’s one of the downsides of making your home an office, which is by definition a public place.

The best way of –at least– removing your coworkers from that equation is buying a good, quality set of headphones. I personally prefer over-ear headphones because I also like to listen to music with nicer quality, but any pair will do, as long as you control the volume and try to avoid in-ear headphones.

Conference speakers

If you prefer the classic conference experience on your home –and have an office room where you won’t bother everybody else– try a dedicated speaker. These gadgets have a set of microphones to catch multiple voices, and usually have good audio quality and are very loud.

Nothing beats having your coworkers on the same physical space. Social distancing won’t let us do that soon, though.

Earmuffs

I’ve been wanting a pair of these for years. My concentration is feeble, and audible distractions are common in my household. Music distracts me too, so the only choice is absolute silence or the nearest possible experience. Earmuffs may help reduce the ambient noise to a far, muffled sound, and keep you focused.

Takeouts

The challenges of remote work aren’t always about performance and motivation, but about health and safety. Offices –and to some extend, management and HR– take care of your health by making the office space safe and comfortable, but the experience at work can’t always be replicated at home, at least without spending your hard, earned cash on furniture and supplies.

We hope you follow our advice to ensure you and your family stay healthy, in a world where remote work and telecommuting are more and more common.