Equifax: website vulnerability exposed 143m US consumers
8 September 2017 | 0
Equifax, one of the largest credit bureaus in the US, has said that an application vulnerability on one of its websites led to a data breach that exposed about 143 million consumers. The breach was discovered on 29 July but the company says that it likely started in mid-May.
“Criminals exploited a US website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorised access occurred from mid-May through July 2017. The company has found no evidence of unauthorised activity on Equifax’s core consumer or commercial credit reporting databases,” the company said in a statement.
The statement goes on to say that those responsible for the data breach accessed records containing social security numbers, birth dates, addresses, and in some cases driver’s license numbers.
Moreover, 209,000 consumers also had their credit card data exposed. The data breach also included “certain dispute documents with personal identifying information for approximately 182,000 US consumers”.
“As part of its investigation of this application vulnerability, Equifax also identified unauthorised access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted,” the company says.
Equifax has launched a website (www.equifaxsecurity2017.com) for those potentially impacted, and will offer credit monitoring to all US consumers. The company will also be contacting those directly impacted via USPS with additional details.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes,” said chairman and chief executive officer, Richard F Smith in a statement.
The company has hired a forensics firm to help with the investigation and offer guidance on preventing such a data breach from happening again.
“I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognise we must do more. And we will,” Smith added.
Given the scale of this breach, the industry has been quick to respond.
Security firm Sophos has pointed out that various security experts have advised people to place a security freeze on their credit files with Equifax.
“After this incident, it’s time for the reporting agencies to step up and make freezing and thawing effortless. How about an app that operates like today’s easy-to-use push notification multi-factor authentication systems? I’d forgo my participation in the coming class-action suit if they would instead agree to that,” said Joe Levy, CTO, Sophos.
“This breach does serve as a further reminder to other organisations holding personally identifiable information (PII) of this scale and nature to closely examine their own security policies. While we don’t yet have technical details of how the breach occurred, other than the likely candidate being via a website application vulnerability, companies should examine security practices such as holding unencrypted data in central repositories, the security processes around APIs, and the implications of upcoming regulations and how it affects those practices,” said Carl Leonard, principal security analyst, Forcepoint.
Leonard added that as there are EU citizens potentially impacted too, the shadow of GDPR looms large in the implications.
“Once GDPR legislation comes into force in May 2018, any breach impacting any European resident’s PII (as this breach does) will need to be reported within 72 hours, or companies can face fines of up to €10 million or two per cent of global turnover, whichever is higher. These potential financial impacts will certainly drive international businesses to examine their security incident response and reporting processes very closely, as a breach such as Equifax which was announced six weeks after discovery would have a different outcome in a years’ time,” said Leonard.
IDG News Service and TechCentral Reporters