• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Following Equifax, Focus On Database Encryption

    September 20, 2017 Alex Woodie

    In the wake of the massive data breach at Equifax that has impacted millions of Americans, suspicions are arising that the company did not even encrypt its data. As hard as it is to believe that one of the big three credit agencies neglected to use encryption, a survey suggests that storing data in plaintext is a common business practice at the vast majority of IBM i shops.

    Despite all the news coverage of this major data breach, critical facts and details are scarce. It’s hard to know exactly what steps Equifax’s IT department took to protect its data, for the simple reason that companies tend to keep these details secret during the best of days. During the worst of days — as it is now for Equifax with civil and criminal investigations looming and the very survival of the company at stake — such information gets locked down.

    However, speculation is rising that Equifax was not encrypting the data that was ultimately stolen. The company was accused of not having encrypted the data in a lawsuit filed yesterday by the Massachusetts Attorney General, according to CNBC. The Washington Post has asked Equifax if it used encryption on this particular data, but the company has not yet responded, according to the newspaper.

    There are several things that suggest that Equifax did not encrypt its sensitive data. For starters, we know what the end result was: Hackers made off with the personally identifiable information (PII) of 143 million consumers, which included names, addresses, Social Security numbers, and some driver’s license numbers. Other cyber thieves have already begun using this data to perpetrate financial crimes on the Internet.

    For this to have happened on encrypted data, the cybercriminals would have to have been incredibly smart and able to hack not only the database server that held the data, but a secondary system that held the encryption keys (it’s really, really bad form to store encryption keys on the server that holds the data that’s encrypted).

    However, this narrative breaks down when we consider what else we know about Equifax’s security – namely, that the credit reporting giant left a security vulnerability in the Apache Struts framework in place for two months before applying a patch. The evidence suggests that the company was the victim of its own gross negligence, rather than the unfortunate plaything of uber-hackers.

    Here’s another piece of circumstantial evidence for the matter at hand: If the data was encrypted, it’s likely that Equifax would have already told us by now in an attempt to garner sympathy.

    When Adobe was hacked back in 2013, hackers made off with data from about 3 million credit cards, as well as other data on 38 million consumers. However, the credit card data was encrypted, so Adobe paid a small fine and nobody really talks about that particular incident anymore, since the damage was contained with encryption.

    If it’s true that Equifax did not encrypt this data, then it was not only an incredible breach of its fiduciary duty to consumers and likely a violation of some industry regulation, but it was also just a monumentally stupid thing to do.

    It’s simply inconceivable that Equifax did not encrypt that database, said Patrick Townsend, a security expert and CEO of Townsend Security. “It’s truly astounding to me that they would not be encrypting that data,” he told IT Jungle. “It’s just truly unbelievable that that kind of information would not be encrypted.”

    Unfortunately, leaving sensitive data unencrypted is a fairly common thing to find in the IBM i community. According to a recent Townsend Security survey, only 25 percent of IBM i shops are encrypting their data at rest, compared to 75 percent of Windows and Linux shops.

    That 75/25 split was “quite disturbing” to Townsend. Why would so many organizations take such a risk with their data? Townsend figured it’s due to a false assumption that IBM i security is superior to that of other systems.

    “IBM did such a good job of teaching the security of the IBM i system that people are somewhat lackadaisical in the IBM i community about protecting them, even though our systems are fully on heterogeneous networks and can be attacked,” Townsend said. “You don’t have to break into the i system. All you have to do is comprise a user PC, capture their credentials logging into the i, and you’ve got in.”

    The old “security through obscurity” approach is also dead in the water, according to Townsend, who said that hackers definitely know how to get at data sitting on IBM i and mainframe systems. While the core security apparatus for these IBM servers are better than comparable Windows and Linux systems, it’s the surrounding cast of players – usually Web servers and application servers running on Windows and Linux – that are Big Iron’s Achilles’ heel.

    Hopefully the Equifax breach serves as a wakeup call for the thousands of organizations that are running with essentially zero security on their servers, IBM i and otherwise. Here in the IBM i world, it’s not as if system admins have any legitimate excuses for not being aware of poor security. But just as the doctor tells you, it’s never too late to quit smoking. And it’s never too late to improve your security, either.

    It’s past time for IBM i shops to get serious about security, Townsend said. “The i is as exposed as any application server in our environment, and yet clearly IBM i users are not protecting that data,” he said. “I think they’re at a high risk for loss.”

    “It’s just odd because IBM did do a good job of securing the system,” he continued. “What they couldn’t do is address all the weak points that surround it. There’s a perception that the IBM i is more secure, but the reality is quite different. As all of us folks who are in the security space around IBM i know quite well, these servers are breached on a regular basis.”

    In any event, it’s probably too late for government types to point to self-regulation as the answer for our data security woes. There is a serious misalignment of incentives in place with regard to data security these days. When you consider that few consumers are Equifax’s direct customers, you realize that consumers have no leverage to demand change. What’s more, many of the banks and retailers that use Equifax’s service to judge credit worthiness have had their own data breaches that gave them temporary black eyes. After paying some fines, it’s back to business as usual.

    This could become the rallying cry for a United States version of the European Union’s General Data Protection Regulation (GDPR), which kicks into effect next May. “We are living in the Wild West here in the US. There are no incentives to properly protect information,” Townsend said. “I think there needs to be something like GDPR. There needs to be a federal law… to really move the needle.”

    RELATED STORIES

    Three Lessons IBM i Shops Can Learn From The Equifax Hack

    State Of IBM i Security: Seven Areas That Demand Attention

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: Equifax, IBM i

    Sponsored by
    VISUAL LANSA 16 WEBINAR

    Trying to balance stability and agility in your IBM i environment?

    Join this webinar and explore Visual LANSA 16 – our enhanced professional low-code platform designed to help organizations running on IBM i evolve seamlessly for what’s next.

    🎙️VISUAL LANSA 16 WEBINAR

    Break Monolithic IBM i Applications and Unlock New Value

    Explore modernization without rewriting. Decouple monolithic applications and extend their value through integration with modern services, web frameworks, and cloud technologies.

    🗓️ July 10, 2025

    ⏰ 9 AM – 10 AM CDT (4 PM to 5 PM CEST)

    See the webinar schedule in your time zone

    Register to join the webinar now

    What to Expect

    • Get to know Visual LANSA 16, its core features, latest enhancements, and use cases
    • Understand how you can transition to a MACH-aligned architecture to enable faster innovation
    • Discover native REST APIs, WebView2 support, cloud-ready Azure licensing, and more to help transform and scale your IBM i applications

    Read more about V16 here.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Dynamic Solutions Lowers Cost For Entry-level VTL Cloud Provides A Third HA Option

    One thought on “Following Equifax, Focus On Database Encryption”

    • Matt Flynn says:
      September 21, 2017 at 11:34 am

      I have a slightly different take on this. Certainly, data should be encrypted and maybe it wasn’t. But based on the attack model, I don’t think encryption would have helped in this scenario – http://360tek.blogspot.com/2017/09/encryption-would-not-have-saved-equifax.html
      Clearly, patching was an issue. But, I’d like to see a movement toward a continuous compliance model. Security validation isn’t a one-time thing.

      Reply

    Leave a Reply Cancel reply

TFH Volume: 27 Issue: 60

This Issue Sponsored By

  • Profound Logic Software
  • RPG & DB2 Summit
  • HiT Software, Inc. a BackOffice Associates Company
  • Computer Keyes
  • MAGiC

Table of Contents

  • Cloud Provides A Third HA Option
  • Following Equifax, Focus On Database Encryption
  • Dynamic Solutions Lowers Cost For Entry-level VTL
  • Four Hundred Monitor, September 20
  • IBM i PTF Guide, Volume 19, Number 37

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • With Power11, Power Systems “Go To Eleven”
  • With Subscription Price, IBM i P20 And P30 Tiers Get Bigger Bundles
  • Izzi Buys CNX, Eyes Valence Port To System Z
  • IBM i Shops “Attacking” Security Concerns, Study Shows
  • IBM i PTF Guide, Volume 27, Number 26
  • Liam Allan Shares What’s Coming Next With Code For IBM i
  • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
  • VS Code Will Be The Heart Of The Modern IBM i Platform
  • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
  • IBM i PTF Guide, Volume 27, Number 25

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle