Equifax — one of the largest providers of consumer credit reporting and other financial services in the US — said last night it was the victim of a hack during which attackers made off with details on over 143 million of its customers.
While the amount of stolen data is impressive in its size alone, affected users have real reasons for concern because of the nature of the data hackers made off with.
According to a press release the company put out, attackers stole names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers.
Furthermore, hackers also accessed credit card numbers for approximately 209,000 US users and dispute documents with personal identifying information for approximately 182,000 more.
In addition, Equifax said attackers also had limited access to the personal details of UK and Canadian residents but did not reveal the number of affected users.
Hackers made off with highly sensitive information
In most breaches, hackers get access to limited information, such as names, addresses, or credit card numbers. A breach of this magnitude and depth of sensitive information is a rare event, and a dangerous one.
Any hacker holding the information stolen from Equifax can very easily build in-depth profiles on its targets and carry out fraudulent transactions, illegal tax returns, hijack online accounts, and more.
Equifax made another big mistake by not notifying users right away. The company said it detected the hack on July 29, but waited more than a month to issue a public warning so users could freeze their assets or take precautionary measures.
"This is a disastrous data breach, probably one of the most detrimental breaches of this year, capable of undermining trust in an already quite fragile online financial space," Ilia Kolochenko, CEO and Founder of High-Tech Bridge told Bleeping Computer via email.
"Such a delayed public disclosure of the breach is quite dubious. Probably the disclosure was reasonably postponed in the interests of investigation, but it still could endanger the victims," Kolochenko added.
Equifax launches website to check if you're affected
Rick Smith, Equifax CEO, apologized for the incident in a YouTube video (see below) and offered to provide free credit monitoring services for one year to all US citizens, not just those affected by the breach.
If you think the offer is generous, it is not. The 143 million figure is about 45% of the US' entire population, but if excluding children, the elderly and other inactive age groups, that's a large chunk of the active credit-eligible population anyway, meaning most US consumers were affected regardless.
Equifax using breach to peddle its own services
Equifax has set up a web page where affected users can verify if they're included in the reported data breach. They can also use this website to enroll in free credit monitoring services.
Users included in the breach have a higher priority and can sign up and receive the free credit monitoring offer right away.
Users not included in the breach will receive their one-year free credit monitoring service but from a later date. In the meantime, Equifax encourages these users to sign up for a commercial plan of credit monitoring services, just in case. In other words, Equifax is using its own hack to sell credit card monitoring services.
Blunder after blunder after blunder
The marketing blunder comes to complete the numerous other technical failures. For example, Equifax's breach verification site uses a stock WordPress site, hardly the best technology for running secure sites.
Because it allows users to verify if they're in the breach by checking their name and last six digits of their SSN, the site quickly got flagged by OpenDNS as a phishing site. When it launched, the site also had SSL issues, which also contributed to OpenDNS marking the site as a threat.
The primary Equifax website is also still vulnerable to an XSS flaw reported last year. One of the Equifax login pages shows debug codes that could be useful in gaining an idea about how Equifax's internal network works.
In its official statement, Equifax said the intrusion took place after "criminals exploited a U.S. website application vulnerability to gain access to certain files."
With such a clumsy effort on the technical side, it is no wonder that LinkedIn's CISO (Chief Information Security Officer) wanted to lay low.
Susan Mauldin, Equifax's CISO, suddenly doesn't have a LinkedIn pagehttps://t.co/E5VnqDhrxB
— Greg Otto (@gregotto) September 7, 2017
The good news is that Equifax is hiring new staff to bolster its security department, but it may bee just too late [1, 2].
Insider trading?
Besides expecting a visit from the FTC and ambulance chasing lawyers holding class-action lawsuits in their hands, Equifax should also expect the SEC.
Shortly after the data breach press release was published, Bloomberg reported that three Equifax high-ranking execs were allowed to sell company stock of nearly $1.8 million.
The date of this transaction came after the company discovered the data breach. In statements to the press, Equifax said the execs who sold their stock were not aware of the breach, an explanation that few are experts are buying.
Weird how Equifax pr can't say whether users' SSNs were encrypted but knows that execs were unaware of a huge hack weeks after it happened. https://t.co/PsjtSeOob2
— Kevin Collier (@kevincollier) September 8, 2017
Just so we are all clear herehttps://t.co/h6xgKHE76J pic.twitter.com/5mHqQYhWCW
— Greg Otto (@gregotto) September 7, 2017
Equifax stock (NYSE:EFX) is expected to plummet when the US stock market opens on Friday, later today.
Comments
Occasional - 6 years ago
Check out Bleeping Computer forums for more on this:
https://www.bleepingcomputer.com/forums/t/656596/equifax-data-breach-could-potentially-affect-143-million-us-consumers/?view=findpost&p=4329804&hl=%2Bequifax
Add to the delayed timing of the data breach notification, it just happened to come as Florida braces for Cat 5 hurricane, North Korea promises more missile tests, and a few other items for a slow news day.
mremski - 6 years ago
"With such a clumsy effort on the technical side, it is no wonder that LinkedIn's CISO (Chief Information Security Officer) wanted to lay low."
This is incorrect. It's not LinkedIn's CISO, but Equifax's CISO (tweet talks about removing LinkedIn page of Equifax CISO).
Occasional - 6 years ago
It's Ok - we know what you meant. BTW, LinkedIn has had it's own leaks in the past. To some extent, I think many companies created CISOs to cover the other C levels (someone else's neck for the chopping block). The 'technical side' has always been driven by speed to market and cutting non-billable expenses; security and data integrity as an afterthought.
Anulled - 6 years ago
What a wonder...
This modern day and age.
Why the hell did they wait a month, consumers should be notified at once.
Occasional - 6 years ago
"Consumers", not sure that's the best term. In other big breaches, those effected were employees of, business partners with, used the products or services of... (such as those with Yahoo mail accounts, with the Yahoo breach). Here, anyone might be in the list - even if they never heard of Equifax.
notjustme - 6 years ago
Not only are they using this breach to shill for their own product, but it certainly looks like you have to give up your rights to join any class action lawsuit just to find out if they lost your data. (notjustme is not a lawyer)
From the T&C of the data breach site: "ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL."
Occasional - 6 years ago
Good eye. Thanks for posting. Not sure if this boilerplate form will hold any water when the lawsuits start coming - even if you "sign". Sort of like signing a confession under coercion. But then, I'm not a lawyer, either.
Occasional - 6 years ago
Still waiting for details on the breach. Read that the vector was their own public facing application. Hard to comprehend that they would allow direct access to data stores of this sensitivity, scale and value.
Would have guessed sophisticated spear-phishing attacks, to work up through to admin level credentials, as the attack vector.
Spear-phishing attacks.not the cause of the leaks; but a sure bet they will be the result. While the focus of concern has been identity theft, a bigger danger may be multi-phase and method attacks against corporate networks - using the leaked data to profile, scam and blackmail gatekeepers. Free credit monitoring is no protection against that.
NickAu - 6 years ago
I wonder how many people actually read those terms and conditions before clicking "yes"?
Occasional - 6 years ago
Did you catch this one in August: https://www.bleepingcomputer.com/news/technology/22-000-people-agree-to-clean-toilets-because-nobody-reads-terms-and-conditions/
No idea what I "agreed to" over the years; but never been called on any of them, either.