U.S. based consumer credit reporting agency, Equifax Inc, (one of the three largest credit agencies) has fallen victim to a data breach in which personally identifiable information of at least 143 million U.S. citizens (almost half the U.S. population) has purportedly been stolen.
The company allows you to check your credit report and credit score. By virtue of this service, it has access to vast amounts of personal information about millions of citizens. In the wrong hands, this information is tantamount to a blank cheque for identity theft. In reports, Equifax is stating that hackers may have accessed names, addresses, birth dates, social security numbers, and drivers license numbers. In addition, it is possible that hackers gained access to the credit card numbers of about 209 000 customers, and may also have access to credit dispute documents of 182 000 people. It has also been reported that the breach was not limited to the U.S., but also affected many U.K. and Canadian residents.
The breach lasted from mid-May to the end of July, when it was eventually detected and stopped. An independent cybersecurity firm was enlisted to assess the impact. It took Equifax until 7 September 2017 to publicly announce the attack.
Equifax has established a website to enable consumers to check whether they were affected by the breach, offering a year’s free credit monitoring and identity theft protection to it’s customers. The site is hosted by none other than TrustedID, a subsidiary of Equifax itself, meaning that Equifax is asking for public trust again. Fortunately, TrustedID does however do 3-bureau credit monitoring (with Equifax, Experian and TransUnion), so it does not rely solely on its own information. However, as reported by ZDNET, the checker on this new site does not appear to be functioning correctly either. A twitter member noted that putting in “Test” as the surname and “123456” reveals that the entry is valid, and that this person may have been impacted. It may be that test data exists in the database, but this in itself is worrying as it highlights carelessness. Several people have also indicated that entering the same data multiple times yields differing results. Equifax has subsequently stated that the issues with the site have been resolved and encourage consumers to re-check their details.
According to The New York Post, Equifax believes the breach was caused by hackers exploiting a flaw in the Apache web servers running the STRUTS system. The Apache foundation issued response to this in a blog post that can be found here.
Bloomberg reports that Equifax now faces multiple federal investigations, and that a class action lawsuit has been filed. In its annual report, Equifax expressed the belief that it’s cyber insurance may not be sufficient:
“Our property and business interruption insurance may not be adequate to compensate us for all losses or failures that may occur,” Equifax said in the filing. “Also, our third-party insurance coverage will vary from time to time in both type and amount depending on availability, cost and our decisions with respect to risk retention.”
On the 8th of September, news of the data breach had driven their share price down by almost 14%.
One can never fully estimate the cost of a data breach. For some it means going out of business where the level of trust that customers had in that organization is never recovered.
In the last few years there have been several major breaches resulting in the theft of large amounts of data. Below are just a few examples (courtesy of Information is beautiful):
- Target – 12 million – 2015
- Adult Friend Finder – 412 million – 2016
- JP Morgan Chase – 76 million – 2014
- eBay – 145 million – 2014
- Yahoo 1 billion – happened 2013, disclosed 2016
Breaching can be caused by many factors, some in combination with others. For example, SQL injection – the ability to inject SQL queries directly into web forms. This can be blocked by proper coding methods designed to validate the input and abstract it from the actual queries to the database. Another example is the service account used by the web server to access the database is not restricted to only the data it requires to perform it’s tasks. Some databases are left directly accessible to the Internet with little or no security. An example of this are MongoDB databases. These databases come with full security models, but designers and admins fail to engage these features when moving from development to production despite numerous guides, tutorials, manual pages, and a checklist. Ebay’s breach was said to be due to hackers obtaining credentials of a small number of employees and then using these to access a database containing user records.
Some breaches can be due to zero-day vulnerabilities, and others can be due to vendors taking their time in releasing patches after vulnerabilities are discovered. Long patch cycles, and lack of basic security undestanding is however common with many organizations. Whatever the cause, organizations need to be on top of their cybersecurity management game:
- Employees need to be trained, kept regularly informed and tested.
- Developers and Administrators need to see the big picture and understand how and where security is required, and implement accordingly.
- Security engineers need to regularly test their defences using up to date tools and methods, as well as continuously monitor their environment for anomalous activity.
- IT managers need to keep on top of their governance, risk management, and compliance requirements with regular audits.