Consumer credit rating agency Equifax disclosed on Thursday a "cybersecurity incident" that could have exposed...
the personal information of approximately 143 million U.S. consumers.
The Equifax breach, which was discovered by the credit bureau on July 29, exposed consumers' names, birth dates, Social Security numbers, addresses and even some driver's license numbers. The company also acknowledged that additional personally identifiable information (PII) was accessed by intruders, including credit card numbers for approximately 209,000 consumers and dispute documents with PII related to 182,000 consumers.
According to the company, the Equifax breach was the result of an unspecified web application vulnerability, which allowed the attackers to gain entry to the corporate network and obtain sensitive data files. Equifax said the intrusion lasted from mid-May of this year to July, but its investigation showed no evidence of unauthorized activity in the company's credit reporting database. In other words, there are currently no signs that attackers were able to obtain or manipulate consumer and commercial credit records.
Still, with the Social Security numbers and birth dates of nearly half of all Americans potentially in the wild, the Equifax breach represents one of the worst exposures of personal information to date. The incident dwarfs the 2015 breach of Experian, another one of the "big three" credit bureaus, which exposed the personal data of 15 million consumers.
"This is the biggest fear of any company that collects such intimate and personal data of people come true," Richard Henderson, global security strategist at Absolute Software, told SearchSecurity. "This is a motherlode of information for cybercriminals looking to commit identity theft. We have to expect that the fallout from this will likely be unprecedented."
Equifax breach response
Equifax Chairman and CEO Richard Smith issued a video statement on the incident, though questions remain about key details.
"We acted immediately to stop the intrusion, and we promptly engaged a leading, cybersecurity firm, which has been conducting a comprehensive forensic review to determine the scope of the intrusion," Smith said. "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do."
However, Smith didn't say which cybersecurity firm Equifax was working with, what web application vulnerability was used in the attack, or why it took five weeks from the date of the breach discovery to notify consumers. There was also no explanation from the company about why sensitive files with personal data for so many Americans were accessible to the attackers.
In a blog post, Morey Haber, vice president of technology at identity management vendor BeyondTrust, called attention to PCI DSS requirements and questioned whether or not Equifax was compliant at the time of the breach. "PCI DSS requires file integrity monitoring (FIM)," Haber wrote. "Were the sensitive files being monitored? Is that how Equifax discovered the breach? This implies monitoring only and no prevention."
Equifax's breach response has also come under scrutiny. While Smith pledged to offer every U.S. consumer free credit monitoring and identity theft protection through its TrustedID service, agreeing to the terms of service for TrustedID requires users to waive their rights to file class action lawsuits against Equifax.
In addition, the credit rating company created a website for consumers to check if their personal data was exposed, but the website is rife with problems. For example, it runs on WordPress, a content management system that has been a favorite target of hackers. More importantly, the site's TLS certificate doesn't do the proper revocation checks, and the domain itself isn't even registered to Equifax.
Learn more about common web application login weaknesses
Read about how enterprises can reduce the risk of data breaches
Discover why ransomware has shifted to destruction of service attacks