CBS 2’s Irika Sargent reports on the Equifax security breach.
On Friday September 8, 2017, Equifax announced a cybersecurity hacking incident potentially affecting about 143 million U.S. consumers. Some British and Canadian citizens were also compromised. According to census.gov, the US population is over 325,860,000 people on September 13, 2017.
Information accessed by the hacker (or hackers) in the breach includes first and last names, Social Security numbers, birth dates, addresses and driver’s license numbers. Credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were also accessed.
Following Equifax’s announcement of the May-July 2017 breach, Equifax’s actions received widespread criticism over the delay from discovery to disclosure, and because Equifax did not immediately reveal whether PINs and other sensitive information items were actually compromised.
Equifax responded that the delay was due to the time needed to determine the scope of the intrusion and the large amount of personal data involved in the breach.
Although the breach was reported to have begun in mid-May 2017 and was not discovered until July 29, 2017, several media companies advised consumers to request a credit freeze to reduce the impact of the breach.
Equifax offered a website (equifaxsecurity2017.com) with an on-page tool for consumers to learn whether they were victims of the breach. Analysts reported the tool returned random results even for fictional names and fictional social security numbers. The tool is accessed using the barely noticeable “click here” link in the following sentence at the top of the page: “To enroll in complimentary identity theft protection and credit file monitoring, click here.” The on-page tool requires users to enter their last names and the last six digits of their social security numbers. Critics of the fictional persons test say Equifax does not have a complete list of all people and their social security numbers, so Equifax was basically correct in its action to throw bogus information back at the fictional tests. Otherwise, if the tool replied by saying a particular last name and social security didn’t exist, then the information of positive or negative hits could be added to information inventory for the criminal intention of finding individuals’ social security numbers.
Additionally, the website had security flaws of its own: Initially equifaxsecurity2017.com was not registered to Equifax (now it is), and the website had a flawed TLS implementation (a cryptographic protocol for secure communications). The website was also using a configuration of the ubiquitous, free and open source WordPress software deemed unsuitable for high-security applications. The security flaws with the website were so glaring that Cisco-owned Open DNS blocked it, suspecting that the website was a phishing site.
Equifax blamed a popular open-source software called Apache Struts for providing a security hole, which has not been verified or proven. Hackers would have had to immediately exploited a security hole after discovering the hole on their own, or the hackers exploited an industry-known weakness on an Equifax server that was not properly patched. The explanation was provided by ZDNet, regarding a statement by The Apache Struts Project Management Committee.
Equifax corrected the Internet webiste registration issue, taking control of the website, and also created a prominent link to equifaxsecurity2017.com at the top of the official website (equifax.com).
Regardless of whether a consumer’s information may have been impacted, Equifax is providing consumers the option to enroll in “TrustedID Premier” identity theft protection and credit file monitoring service.
According to Equifax, investigators have found no evidence of “unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.” Equifax has engaged with an independent cybersecurity firm to conduct a forensic review of the intrusion, and law enforcement officials are also investigating.
According to Bloomberg News, three Equifax executives were permitted to sell more than $1.8 million worth of stock in the days following the July 29, 2017 discovery of the breach. The company said on Thursday September 7, 2017 that CFO John Gamble, President of U.S. Information Joseph Loughran, and President of Workforce Solutions Rodolfo Ploder were not informed about the security breach before the shares were sold.
Equifax is the oldest of the three largest United States credit agencies — Equifax, Experian, and TransUnion.
See also …
Bloomberg Three Equifax Managers Sold Stock Before Cyber Hack Revealed
Get updates from The Cardinal ALL NEWS FEEDS on Facebook. Just ‘LIKE’ the ‘Arlington Cardinal Page (become a fan of our page). The updates cover all posts and sub-category posts from The Cardinal — Arlingtoncardinal.com. You can also limit feeds to specific categories. See all of The Cardinal Facebook fan pages at Arlingtoncardinal.com/about/facebook …
Help fund The Cardinal Arlingtoncardinal.com/sponsor
Sen. Mark Warner (D-Virginia) discusses the massive data breach at Equifax and whether the credit reporting firm should be held liable by the U.S. government — calls it a “Category 4 or Category 5 Cyber hack.” The waiver of liability that was established for people that used a free tool to see if users were at risk has been disallowed and discontinued.
Equifax said on Thursday September 7, 2017 that it suffered a major cybersecurity incident that might affect 143 million consumers in U.S.