Equifax reveals cybersecurity incident involving consumer information after gaining access to certain files

Equifax announced Thursday a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files.

Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.

Equifax also reported the criminal access to law enforcement and continues to work with authorities.  While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.    

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.  In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.

This isn’t the first major Equifax breach; Equifax uncovered cases in 2013 where hackers gained illegal access to user information. Credit reports, purportedly on famous people ranging from Michelle Obama to Paris Hilton, were posted online.

As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps.  The company has found no evidence that personal information of consumers in any other country has been impacted.  

Equifax has established a dedicated website to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year.

The website also provides additional information on steps consumers can take to protect their personal information. Equifax recommends that consumers with additional questions visit www.equifaxsecurity2017.comor contact a dedicated call center at 866-447-7559, which the company set up to assist consumers. The call center is open every day (including weekends) from 7:00 a.m. – 1:00 a.m. Eastern time.

In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. Equifax is also in the process of contacting U.S. state and federal regulators and has sent written notifications to all U.S. state attorneys general, which includes Equifax contact information for regulator inquiries.

Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said chairman and chief executive officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.  We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”

BeyondTrust’s vice president of technology, Morey Haber asks the following questions in his blog post – was the web application know, or was it a zero-day exploit? If it was known, how old was it and why wasn’t it remediated?  If it was a zero-day, please educate the security community so “we can protect our own websites”; PCI DSS requires File Integrity Monitoring (FIM). Were the sensitive files being monitored? Is that how Equifax discovered the breach? This implies monitoring only and no prevention; and how did Equifax determine the breach and were the systems in question within PCI scope? I certainly believe so, since credit card information was obtained and they appear from initial reports to be complete PANs.

“These facts, and many more, are critical to understand what happened said Morey Haber, vice president of technology at BeyondTrust.  “I hope they come to light soon, and as with any larger breach involving payment and card data, it remains to be seen what monetary and punitive damages Equifax will face from the PCI council.”

“Equifax’s breach is yet another data point (albeit a massive one) in the new reality of “continuously compromised” organizations. Make no mistake about it: these breaches will continue to happen and make headlines,” said Anthony Di Bello, senior director of product at Guidance. “Our research found that one in four businesses suffered direct financial losses due to a cyber attack in the past year (and organizations reporting “significant financial losses” tripled). Almost two-thirds had fallen victim to malware-related breaches. We’re in a new reality where it’s not just “will my company get breached?” But a question of when. Fighting back requires a well-planned endpoint detection and response strategy that can mitigate the otherwise crippling repercussions businesses are increasingly seeing from these cyberattacks.”

Leave a Reply

WWPI – Covering the best in IT since 1980