Credit monitoring agency replaces CIO and CSO, who are ‘retiring’
Up to 400,000 Brits’ data has been leaked in the Equifax hack, the credit monitoring agency has finally revealed.
Data including names, dates of birth, email addresses and telephone numbers “may potentially have been accessed” by hackers who also stole 143 million US consumers’ personal data, Equifax said.
The company added that home addresses, passwords and financial data were not included in the UK breach, which occurred as a result of a “process failure” that saw some UK data stored on US servers between 2011 and 2016.
Equifax said its UK systems were not affected by the data breach, which was the result of an Apache Struts flaw the company left unpatched.
Patricio Remon, president at Equifax, said: “We apologise for this failure to protect UK consumer data. Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward.”
UK businesses’ data was not included in the breach, though Equifax has only confirmed this is the case 10 days after publicly announcing the breach, which it discovered way back in late July.
A spokesman for the UK’s data watchdog, the Information Commissioner’s Office (ICO), said: “The ICO has been pressing the firm to establish the scale of any impact on UK citizens and has also been engaging with relevant US and UK agencies about the nature of the data breach.
“It can take some time to understand the true impact of incidents like this, and we continue to investigate. Members of the public should remain vigilant of any unsolicited emails, texts or calls, even if it appears to be from a company they are familiar with. We also advise that people review their financial statements regularly for any unfamiliar activity.
“If any financial details appear to have been compromised, victims should immediately notify their bank or card company. If anyone thinks they may have been a victim of a cyber crime they should contact Action Fraud.”
Equifax believes identity theft is unlikely based on the leaked data, but will write to the affected customers to offer them a free identity protection service that monitors their personal data, including credit card details, and alerts them to possible fraud.
The news came alongside Equifax’s announcement last Friday that both its CIO and chief security officer (CSO) are “retiring”.
In their place, Mark Rohrwasser will serve as interim CIO effective immediately after leading the firm’s international IT operations since last year, and vice-president of IT, Russ Ayres, has been appointed CSO, reporting to Rohrwasser.
The company said: “Equifax’s internal investigation of this incident is still ongoing and the company continues to work closely with the FBI in its investigation.”
14/09/2017: Equifax hackers used a months-old Apache Struts flaw
The massive hack on credit monitoring agency Equifax was carried out using an Apache Struts flaw that was first revealed in March, the company has admitted.
The huge cyber attack resulted in the theft of social security numbers, names, dates of birth and other personal data from 143 million US residents, and more than 200,000 credit card numbers. Equifax still hasn’t revealed how many UK customers were affected.
But the company yesterday admitted that it was indeed a flaw in Apache’s development framework Struts that had led to the attack.
In an updated statement, it said: “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
The hack was carried out in mid-May, according to Equifax, well over a month after the flaw was disclosed and a patch issued. The vulnerability was categorised as ‘critical’, allowing remote code execution with no privileges and little technical knowledge to carry out.
An Apache Struts flaw was also pointed to as the cause of the breach shortly after it was announced. Quartz initially identified the vulnerability as CVE-2017-9805, which was disclosed earlier in September, although this turned out to be incorrect.
The Apache Foundation has said that the breach was a result of Equifax’s inability to patch its systems, rather than flaws in its software.
“This vulnerability was patched on 7 March 2017, the same day it was announced,” the Foundation’s blog post read. “In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner.”
The revelation comes as evidence of lax cyber security protocols emerges. Security expert Brian Krebs discovered that corporate tools used by Equifax’s Argentinian arm used ‘admin’ as the default username and password, giving him access to the national identity numbers of thousands of Argentinians.
The company has stated that this was completely unrelated to the incident in the US, and that no customers have been affected. It has also taken action to address the problem, it said.
Equifax’s response to the attack has led to criticism from all sides. Its cyber security practices are unsurprisingly coming under scrutiny, and US senators are also calling for investigations of the company executives who offloaded their stocks following the breach’s discovery.
The data obtained in the breach is hugely valuable for thieves. Not only can it be leveraged for widespread identity theft, but cyber security firm Intsights has calculated that the database itself could fetch upwards of $32 million on dark web black markets.
13/09/2017: Chatbot helps users sue Equifax for data breach
A chatbot originally developed to help people appeal against parking and speeding fines has been re-purposed to help customers affected by the Equifax data breach sue the company.
DoNotPay, which was created by a British student studying at Stanford University, has been programmed to automatically file claims against the credit checking company, which suffered a breach leaking the details of up to 143 million US customers.
Data from UK customers were also stolen, although the company hasn’t revealed how many.
The bot works by asking those it thinks are affected various questions it has developed for the case, changing them according to previous answers and how severely the person was impacted. It then provides the documents the user needs to make a claim formally.
The bot has so far helped 375,000 people claim against parking tickets, although developer Joshua Browder hasn’t revealed how many Equifax customers have used it yet.
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations,” said Richard Smith, Equifax chairman and chief executive, when the breach was revealed.
All those that think they were affected by the breach have been encouraged to check online and if they have, Equifax is offering them access to its credit and identity theft monitoring tools for free. Security experts have warned against using these due to waivers people must agree to that would prevent them from taking legal action, though Equifax has claimed these waivers don’t apply to the cyber security incident.
DoNotPay has been used for a number of other small claims cases, including helping asylum seekers with their immigration applications to gain entry to the US and receive financial support fro the state.
11/09/2017: Equifax’s data breach response draws experts’ ire
Security experts have slammed Equifax for its actions in the wake of a cyber attack that has hit upwards of 143 million customers.
The credit check agency was hacked in May, then discovered the breach on 29 July, but only revealed it to customers last week (see below), blaming a “US website application vulnerability” without going into any greater detail.
Customers’ social security numbers, driving license numbers, dates of birth and addresses have all been stolen, while some customers lost credit card numbers and other personally identifiable information.
An information page for US users requires them to enter their name and last six digits of their social security numbers to determine if their social security number has been stolen, but nothing exists for UK users yet.
Free threat protection and credit monitoring services offered by Equifax include clauses that prevent consumers from suing Equifax or joining class action lawsuits. However, Equifax said these waivers don’t apply to this cyber security incident.
Nevertheless, Jeff Pollard, principal analyst at research firm Forrester, warned affected customers against using these services.
He added: “We need more information from Equifax other than ‘your information was or possibly was accessed’.
“What’s even more concerning about this longer term is that Equifax is a major data aggregator, broker, and analytics firm. Given that we don’t know the extent of the information breached, it’s likely this reaches further into data that Equifax transforms as part of its marketing and analytic services.
“What kind of data did Equifax have, what did they do with it, and what is now in the adversaries’ hands? How much do they know about us [and how much of this] is based on these analytics services?”
A class-action lawsuit has already been filed in Portland, Oregon, according to Cyberscoop, warning that costs resulting from the suit could hit $68.6 billion.
Meanwhile, Twitter users have criticised the effectiveness of a call centre deployed by Equifax to handle customer queries. Callers were put on hold or disconnected, reports the Guardian. One user who was disconnected nine times eventually got through, only to be referred to a general information website.
Equifax said it has tripled its customer service agents to 2,000 and is continuing to add more.
Did an Apache Struts bug allow Equifax to be hacked?
The root cause of the hack remains unclear, but Quartz claimed last week that it was related to a bug in Apache Struts, a Java-building framework. This flaw, dubbed CVE-2017-9805, was reported publicly last week after being patched in July, and security researchers found it allowed hackers to remotely execute code on businesses’ networks.
With Equifax having been hacked in May, the Apache Software Foundation issued a rebuttal of the claim over the weekend, saying the breach referred to by Quartz was identified and patched in July, meaning hackers must have either used an earlier reported flaw on an unpatched Equifax server, or discovered a zero-day exploit.
“At this point in time it is not clear which Struts vulnerability would have been utilized, if any,” said René Gielen, VP for Apache Struts.
Quartz has since updated its article to claim the bug may have been one reported back in March, rather than September.
08/09/2017: Credit agency Equifax hit by major data breach
Credit check agency Equifax has fallen victim to a major data breach, which has affected 143 million customers in the US and an undisclosed number in the UK and Canada.
The attack took place between mid-May and July, according to a statement, with the company discovering the breach on 29 July. A public statement has only just been made, however.
According to the company, the intrusion was made via “a US website application vulnerability to gain access to certain files”.
“The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases,” the organisation said.
That doesn’t mean the breach is insignificant, though, with information on US customers including social security numbers, dates of birth, addresses and driver’s license numbers all being stolen. Additionally, some 209,000 customers had their credit card numbers stolen and 182,000 had dispute documents with personally identifiable information accessed.
It’s unclear at this time whether or not the information taken was encrypted or not, nor who the perpetrators may be.
IT Pro has contacted Equifax in the UK to find out how many customers are affected and the nature of the breach here, as well as to clarify the encryption question, but hadn’t received a response at the time of publication.
The Information Commisioner’s Office takes a hard line on data breaches but it nethertheless willing to lend its aid.
“Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern. We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised,” said ICO Deputy Commissioner James Dipple-Johnstone.
“We will be advising Equifax to alert affected UK customers at the earliest opportunity.
“In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.”
The company has set up a dedicated website, www.equifaxsecurity2017.com for US customers to find out if they’ve been affected by the hack.
For UK customers, there’s currently no site or specific advice available from the agency.
Security analyst Graham Cluley told IT Pro: “This isn’t a case of ‘change your passwords’. You don’t have the option of changing your name, date of birth, social security number and other personal information.
“The cruel irony of millions of identities being stolen from an organisation that offers identity theft monitoring isn’t lost on anyone. This will be very hard for Equifax to live down.”
He added: “My advice for companies who don’t want to find themselves in similar hot water is to ‘hack themselves before someone hacks you’. Find the weaknesses and vulnerabilities by conducting your own penetration tests, as it may protect your company prevent you putting others at risk.”
Quocirca analyst Clive Longbottom largely agreed with Cluley’s sentiments.
“This is a real bad one for Equifax. The PII that has leaked includes social security numbers, addresses, names and so on – the sort of information that forms the basis for criminals to create a false identity.
“If it also includes the rest of a person’s Equifax data – banks, loans, credit card details, for example, then it puts the people concerned in a very bad place,” he told IT Pro. “This is not a username/password issue: there is not much that an individual can do on this.”
“To leave a month and a bit between finding out and disclosure is pretty unforgiveable in this case,” he added.
In his analysis of the hack, security researcher Brian Krebs said: “That the intruders were able to access such a large amount of sensitive consumer data via a vulnerability in the company’s Web site suggests Equifax may have fallen behind in applying security updates to its Internet-facing Web applications.
“Although the attackers could have exploited an unknown flaw in those applications, I would fully expect Equifax to highlight this fact if it were true – if for no other reason than doing so might make them less culpable and appear as though this was a crime which could have been perpetrated against any company running said Web applications.”
He also pointed out that the company was until very recently looking for a vice president of cyber security – a role equivalent to a CISO according to Equifax – and suggested this may have been a contributing factor to web applications potentially being left unpatched.
Main image credit: Bigstock