The reason you can’t buy a car is the same reason that your health insurer let hackers dox you
ALTOn July 14, I’m giving the closing keynote for the fifteenth HACKERS ON PLANET EARTH, in QUEENS, NY. Happy Bastille Day! On July 20, I’m appearing in CHICAGO at Exile in Bookville.
In 2017, Equifax suffered the worst data-breach in world history, leaking the deep, nonconsensual dossiers it had compiled on 148m Americans and 15m Britons, (and 19k Canadians) into the world, to form an immortal, undeletable reservoir of kompromat and premade identity-theft kits:
https://en.wikipedia.org/wiki/2017_Equifax_data_breach
Equifax knew the breach was coming. It wasn’t just that their top execs liquidated their stock in Equifax before the announcement of the breach – it was also that they ignored years of increasingly urgent warnings from IT staff about the problems with their server security.
Things didn’t improve after the breach. Indeed, the 2017 Equifax breach was the starting gun for a string of more breaches, because Equifax’s servers didn’t just have one fubared system – it was composed of pure, refined fubar. After one group of hackers breached the main Equifax system, other groups breached other Equifax systems, over and over, and over:
https://finance.yahoo.com/news/equifax-password-username-admin-lawsuit-201118316.html
Doesn’t this remind you of Boeing? It reminds me of Boeing. The spectacular 737 Max failures in 2018 weren’t the end of the scandal. They weren’t even the scandal’s start – they were the tipping point, the moment in which a long history of lethally defective planes “breached” from the world of aviation wonks and into the wider public consciousness:
https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_the_Boeing_737
Just like with Equifax, the 737 Max disasters tipped Boeing into a string of increasingly grim catastrophes. Each fresh disaster landed with the grim inevitability of your general contractor texting you that he’s just opened up your ceiling and discovered that all your joists had rotted out – and that he won’t be able to deal with that until he deals with the termites he found last week, and that they’ll have to wait until he gets to the cracks in the foundation slab from the week before, and that those will have to wait until he gets to the asbestos he just discovered in the walls.
Drip, drip, drip, as you realize that the most expensive thing you own – which is also the thing you had hoped to shelter for the rest of your life – isn’t even a teardown, it’s just a pure liability. Even if you razed the structure, you couldn’t start over, because the soil is full of PCBs. It’s not a toxic asset, because it’s not an asset. It’s just toxic.
Equifax isn’t just a company: it’s infrastructure. It started out as an engine for racial, political and sexual discrimination, paying snoops to collect gossip from nosy neighbors, which was assembled into vast warehouses full of binders that told bank officers which loan applicants should be denied for being queer, or leftists, or, you know, Black:
https://jacobin.com/2017/09/equifax-retail-credit-company-discrimination-loans
This witch-hunts-as-a-service morphed into an official part of the economy, the backbone of the credit industry, with a license to secretly destroy your life with haphazardly assembled “facts” about your life that you had the most minimal, grudging right to appeal (or even see). Turns out there are a lot of customers for this kind of service, and the capital markets showered Equifax with the cash needed to buy almost all of its rivals, in mergers that were waved through by a generation of Reaganomics-sedated antitrust regulators.
There’s a direct line from that acquisition spree to the Equifax breach(es). First of all, companies like Equifax were early adopters of technology. They’re a database company, so they were the crash-test dummies for ever generation of database. These bug-riddled, heavily patched systems were overlaid with subsequent layers of new tech, with new defects to be patched and then overlaid with the next generation.
These systems are intrinsically fragile, because things fall apart at the seams, and these systems are all seams. They are tech-debt personified. Now, every kind of enterprise will eventually reach this state if it keeps going long enough, but the early digitizers are the bow-wave of that coming infopocalypse, both because they got there first and because the bottom tiers of their systems are composed of layers of punchcards and COBOL, crumbling under the geological stresses of seventy years of subsequent technology.
The single best account of this phenomenon is the British Library’s postmortem of their ransomware attack, which is also in the running for “best hard-eyed assessment of how fucked things are”:
https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf
There’s a reason libraries, cities, insurance companies, and other giant institutions keep getting breached: they started accumulating tech debt before anyone else, so they’ve got more asbestos in the walls, more sagging joists, more foundation cracks and more termites.
That was the starting point for Equifax – a company with a massive tech debt that it would struggle to pay down under the most ideal circumstances.
Then, Equifax deliberately made this situation infinitely worse through a series of mergers in which it bought dozens of other companies that all had their own version of this problem, and duct-taped their failing, fucked up IT systems to its own. The more seams an IT system has, the more brittle and insecure it is. Equifax deliberately added so many seams that you need to be able to visualized additional spatial dimensions to grasp them – they had fractal seams.
But wait, there’s more! The reason to merge with your competitors is to create a monopoly position, and the value of a monopoly position is that it makes a company too big to fail, which makes it too big to jail, which makes it too big to care. Each Equifax acquisition took a piece off the game board, making it that much harder to replace Equifax if it fucked up. That, in turn, made it harder to punish Equifax if it fucked up. And that meant that Equifax didn’t have to care if it fucked up.
Which is why the increasingly desperate pleas for more resources to shore up Equifax’s crumbling IT and security infrastructure went unheeded. Top management could see that they were steaming directly into an iceberg, but they also knew that they had a guaranteed spot on the lifeboats, and that someone else would be responsible for fishing the dead passengers out of the sea. Why turn the wheel?
That’s what happened to Boeing, too: the company acquired new layers of technical complexity by merging with rivals (principally McDonnell-Douglas), and then starved the departments that would have to deal with that complexity because it was being managed by execs whose driving passion was to run a company that was too big to care. Those execs then added more complexity by chasing lower costs by firing unionized, competent, senior staff and replacing them with untrained scabs in jurisdictions chosen for their lax labor and environmental enforcement regimes.
(The biggest difference was that Boeing once had a useful, high-quality product, whereas Equifax started off as an irredeemably terrible, if efficient, discrimination machine, and grew to become an equally terrible, but also ferociously incompetent, enterprise.)
