A major security breach at Equifax has taken place over a two month period
It is thought to have affected 143 million customers in the US, as well as an undisclosed number of Britons and Canadians.
The perpetrators exploited a vulnerability in a US website application to gain access to confidential information – including names, social security numbers, birth dates, addresses and driver’s license numbers, as well as around 209,000 credit card numbers – over a two month period from May 2017.
It also found unauthorised access to “limited personal information” of a number of British and Canadian customers, and will work with regulators in both countries to determine an appropriate path forward. It added that it had found “no evidence” of any unauthorised activity on its core consumer or enterprise credit reporting databases.
Since halting the intrusion on 29 July, Equifax has been working closely with law enforcement and brought in a cyber security partner to conduct a thorough forensic review of its systems. This investigation is mostly complete, but more detailed information is expected to emerge in the coming days and weeks.
Equifax has confirmed that the massive data breach was result of missed patch and appear to have failed to roll out a patch that might have stopped the massive breach of its systems.
From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy.
In a brief update statement, Equifax said it had been “intensely investigating” the scope of the intrusion with the help of an undisclosed cyber security firm – thought to be Mandiant – to find out exactly what information was accessed and whom it belongs to.
“We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638,” it said. “We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
Apache Struts is an open-source model-view controller (MVC) framework for building Java web applications, and is well used across the financial services sector. The vulnerability causes it to mishandle file upload, which enables malicious actors to execute arbitrary commands via a command string in a crafted content-type HTTP header.
This was first highlighted in March 2017, and patches were subsequently released for it.
However, the Equifax breach began in May, which would seem to suggest the organisation did not bother to apply the updates to its systems.
Since news of the breach emerged, it has also emerged that the incident may have resulted in many more Britons than at first suspected having their data compromised – around 44 million by some estimates.
This is because even if people do not directly purchase Equifax’s consumer services themselves, some of their sensitive personal data is almost certainly held by enterprises, which use its corporate services to check credit scores for loans, for example.
Experts criticised the Equifax breach response as insufficient given the size and scope of the data loss, and said the company was likely not prepared for such an incident.
While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify customers of a problem much sooner.
“We will be advising Equifax to alert affected UK customers at the earliest opportunity. In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.”