US Credit Monitoring Service Breached

U.S. based consumer credit reporting agency, Equifax Inc, (one of the three largest credit agencies) has fallen victim to a data breach in which personally identifiable information of at least 143 million U.S. citizens (almost half the U.S. population) has purportedly been stolen.

The company allows you to check your credit report and credit score. By virtue of this service, it has access to vast amounts of personal information about millions of citizens. In the wrong hands, this information is tantamount to a blank cheque for identity theft. In reports, Equifax is stating that hackers may have accessed names, addresses, birth dates, social security numbers, and drivers license numbers. In addition, it is possible that hackers gained access to the credit card numbers of about 209 000 customers, and may also have access to credit dispute documents of 182 000 people. It has also been reported that the breach was not limited to the U.S., but also affected many U.K. and Canadian residents.

The breach lasted from mid-May to the end of July, when it was eventually detected and stopped. An independent cybersecurity firm was enlisted to assess the impact. It took Equifax until 7 September 2017 to publicly announce the attack.

Equifax has established a website to enable consumers to check whether they were affected by the breach, offering a year’s free credit monitoring and identity theft protection to it’s customers. The site is hosted by none other than TrustedID, a subsidiary of Equifax itself, meaning that Equifax is asking for public trust again. Fortunately, TrustedID does however do 3-bureau credit monitoring (with Equifax, Experian and TransUnion), so it does not rely solely on its own information. However, as reported by ZDNET, the checker on this new site does not appear to be functioning correctly either. A twitter member noted that putting in “Test” as the surname and “123456” reveals that the entry is valid, and that this person may have been impacted. It may be that test data exists in the database, but this in itself is worrying as it highlights carelessness. Several people have also indicated that entering the same data multiple times yields differing results. Equifax has subsequently stated that the issues with the site have been resolved and encourage consumers to re-check their details.

To compound matters, TrustedID’s terms of use for the website seemed to suggest that to sign up, you waive your right to sue the company. Apparently that clause was only in reference to using the site itself and not related to the breach. This was cleared up after New York Attorney General Eric Schneiderman weighed in by stating: “This language is unacceptable and unenforceable”. As reported by Engadget, Equifax responded with clarification on its policy, indicating “The arbitration clause and class action waiver included in the TrustedID Premier Terms of Use applies only to the free credit file monitoring and identity theft protection products and not the cybersecurity incident

According to The New York Post, Equifax believes the breach was caused by hackers exploiting a flaw in the Apache web servers running the STRUTS system. The Apache foundation issued response to this in a blog post that can be found here.

Bloomberg reports that Equifax now faces multiple federal investigations, and that a class action lawsuit has been filed. In its annual report, Equifax expressed the belief that it’s cyber insurance may not be sufficient:

Our property and business interruption insurance may not be adequate to compensate us for all losses or failures that may occur,” Equifax said in the filing. “Also, our third-party insurance coverage will vary from time to time in both type and amount depending on availability, cost and our decisions with respect to risk retention.

On the 8th of September, news of the data breach had driven their share price down by almost 14%.

One can never fully estimate the cost of a data breach. For some it means going out of business where the level of trust that customers had in that organization is never recovered.

In the last few years there have been several major breaches resulting in the theft of large amounts of data. Below are just a few examples (courtesy of Information is beautiful):

  • Target – 12 million – 2015
  • Adult Friend Finder – 412 million – 2016
  • JP Morgan Chase – 76 million – 2014
  • eBay – 145 million – 2014
  • Yahoo 1 billion – happened 2013, disclosed 2016

Breaching can be caused by many factors, some in combination with others. For example, SQL injection – the ability to inject SQL queries directly into web forms. This can be blocked by proper coding methods designed to validate the input and abstract it from the actual queries to the database. Another example is the service account used by the web server to access the database is not restricted to only the data it requires to perform it’s tasks. Some databases are left directly accessible to the Internet with little or no security. An example of this are MongoDB databases. These databases come with full security models, but designers and admins fail to engage these features when moving from development to production despite numerous guides, tutorials, manual pages, and a checklist. Ebay’s breach was said to be due to hackers obtaining credentials of a small number of employees and then using these to access a database containing user records.

Some breaches can be due to zero-day vulnerabilities, and others can be due to vendors taking their time in releasing patches after vulnerabilities are discovered. Long patch cycles, and lack of basic security undestanding is however common with many organizations. Whatever the cause, organizations need to be on top of their cybersecurity management game:

  • Employees need to be trained, kept regularly informed and tested.
  • Developers and Administrators need to see the big picture and understand how and where security is required, and implement accordingly.
  • Security engineers need to regularly test their defences using up to date tools and methods, as well as continuously monitor their environment for anomalous activity.
  • IT managers need to keep on top of their governance, risk management, and compliance requirements with regular audits.

The following two tabs change content below.

Andrew Smith

Andrew is a senior systems-engineer with over 20 years experience in corporate and small business environments. This includes consulting for large ICT service providers. He has supported systems at every level in the organization, including infrastructure, operating systems, applications, and perimeter protection. He also collaborates with software development teams on web, database, and infrastructure security. Andrew has co-founded multiple ICT businesses, where he advises on cybersecurity strategies and policies. Andrew has a 3-year National Diploma in Electronics (light current).

Latest posts by Andrew Smith (see all)