Equihax: One of the Most Calamitous Breaches of All Time
Pinterest Stumbleupon Whatsapp
Advertisement

On a quiet afternoon in early September 2017, Equifax disclosed an extraordinary security breach that was estimated to have affected almost 200 million people worldwide. Given that the company had first discovered the breach in July, that should have provided ample time to prepare for a response and solution for all affected individuals. Instead, Equifax proceeded to provide the world with a perfect example of how not to handle a major security breach.

From the enormous scope of the data leak, confusing legalese, and hideously insecure response websites, Equifax had it all. Add in allegations of insider trading, poor communication, a 30 percent drop in stock value, alongside further data leaks, and the company seemed to have set itself up for a dramatic fall from grace. Well, as much grace as a credit reporting agency you never explicitly agreed to hand your sensitive data to can have.

EquiBreach

Equifax’s first statement on the breach said that up to 144 million Americans may have had their credit information compromised. This included names, addresses, Social Security numbers (SSNs), birth dates, and financial records. The company also reported that credit card numbers for 209,000 U.S. consumers were included in the breach. Furthermore, dispute records with personally identifying information for 189,000 individuals have been leaked.

equifax disclosure screenshot

Initial reports in the media referred to impacted individuals as Equifax’s customers. However, you aren’t really a customer of Equifax, Experian, TransUnion, or any other credit reporting agency. These agencies collect data from a number of different services and financial product providers. Data is then used to generate your Credit Score, enabling a lender to assess the risk you pose. Applying for a loan, credit card or mortgage? This is how the decision is made.

Impact Assessment and TrustedID Premier

To compensate you for losing the data of nearly half the U.S. adult population, Equifax set up a website, equifaxsecurity2017.com. Here, you’re able to enter your name and partial SSN and find out if your details were among those leaked. Additionally, you could enroll in their service, TrustedID Premier. This is a three bureau credit report and SSN monitoring tool, complementary to US consumers for a year.

Yet in their initial disclosure, and for a week after, Equifax was remarkably silent on the details. The attack type, the culprit, and why it was able to continue for so long, without detection, remained a secret.

This led many to suspect that there was culpability on Equifax’s side. Six days later, and after immense public outcry and interventions from a bipartisan group of Senators, Equifax finally admitted that the attack used a known Apache Strut exploit (CVE-2017-5638) — a patch for which was released in March 2017, two months before the Equifax breach. This proved that, just as with WannaCry earlier in the year The Global Ransomware Attack and How to Protect Your Data The Global Ransomware Attack and How to Protect Your Data A massive cyberattack has struck computers around the globe. Have you been affected by the highly virulent self-replicating ransomware? If not, how can you protect your data without paying the ransom? Read More , not updating your software can have devastating consequences.

Not Just U.S. Consumers

Although not disclosed from the outset, Equifax was forced to admit that the information for a “limited number” of U.K. and Canadian residents was also included in the breach. Up to 44 million U.K. consumers may not even have been aware that the U.S. credit agency had their data. However, it was provided to them by companies including BT, British Gas, and Capital One. The credit agency’s U.K. arm announced early evening on Friday September 15th that 400,000 U.K. residents were affected. This suspected attempt to bury the news revealed a “process failure” which lasted half a decade. Yet no guidance to U.K. or Canadian residents has been offered.

Equifax’s Website Woes

For reasons that have yet to be explained, Equifax launched a separate website for their response to the breach. Given that the site was set up in response to a major security breach, you would imagine every precaution would have been taken to ensure the site was a shining beacon of stability. Instead, the large volume of American consumers wishing to check their information overwhelmed them. This left many unable to access the site, or to load the results of their impact assessment.

Even then, the numbers visiting the site may have been larger had it not been for poor website configuration. In most people’s book, an off-domain website with questionable keywords would appear to be a phishing scam. OpenDNS seemed to agree, and blocked access to the website for many users. To heighten the sense of irony, to complete your assessment you must enter the last six digits of your SSN. This is the same data that Equifax has already proved they can’t protect!

Unverifiable Results

Within hours of the site launching, there were reports that you couldn’t even trust the results of their impact assessment. Entering the same details multiple times would give differing answers as to whether you were affected. Some people even tried entering knowingly false information. Worryingly, they found that Equifax would tell the non-existent person that their data had been leaked.

If you were willing to accept that your data had in fact been compromised in the breach, Equifax greeted you with a vague statement about the breach and encouraged you to enrol in TrustedID Premier. Given that Equifax was the source of the breach, it seems in poor taste that they would encourage you to sign up to a free trial of their own a fraud protection service.

Those that signed up for TrustedID Premier were able to perform a credit freeze, and provided with a confirmation PIN. However, the PIN appeared to be a timestamp of when the freeze was performed. This would render the PIN useless — it could easily be guessed, allowing anyone to unlock your credit freeze. Despite initial denials, Equifax later said they were transitioning to a new method that would randomize PIN generation. Additionally, they would allow consumers to request a new PIN to be sent to their registered mailing address.

The Legalese Debacle

When Equifax first launched the equifaxsecurity2017 website, the Terms of Service for TrustedID Premier seemed to imply that be using the service, you were waiving your right to participate in any class action lawsuit against the company in the future. The uproar at this perceived injustice made Equifax issue an update the next day. They have now stated that the arbitration clause was not applicable to the security breach.

This did little to assure people who were understandably unconvinced leading to a further statement almost a week later stating that they “have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.”

Taken to Task

In a move that Equifax claims to be total coincidence, just two days after they first discovered the breach, three senior executives sold stock totalling $1.8 million. This significant sale was just days after discovering the breach, but over a month before they publically disclosed it. If the individuals did have knowledge of the security breach, then they would be in contravention of insider trading laws. Knowingly or otherwise, their timely sale was fortunate. At time of writing, Equifax’s stock has fallen 30 percent since disclosure of the breach.

Given the highly sensitive nature of the breach, many affected individuals are understandably critical of Equifax’s apparent lax security. For example, USA Today reported that in the few days following the disclosure, 23 lawsuits were filed in 14 states against the credit reporting agency. As reported by Bloomberg, a class action lawsuit filed in Oregon is seeking damages of up to $7 billion. Even if the court were to award such a large sum, it equates to just under $500 per person. Does this seem enough to compensate for the lifetime risk of identity theft?

do not pay screenshot equifax

Joshua Browder, the creator of the DoNotPay bot, expanded its functionality to simplify the process of applying to the small claims court for damages relating to the Equifax breach. This is admirable and goes a long way to making the often complex legal documentation easier to digest. However, some reports have claimed that the DoNotPay bot, originally developed for helping you fight parking fines, could automate the entire process. As TechCrunch notes, all the bot really does is help with the initial paperwork — you still have to fight the case in court.

An Ongoing Headache Around The World

If there was any doubt remaining as to Equifax’s poor security practices, then an example from Equifax’s Argentinian arm is likely to remove it entirely. First reported by KrebsOnSecurity, an online portal used by employees to settle credit disputes named Veraz (meaning truthful in Spanish) was found to be vulnerable. You may expect the vulnerability to be technical, but instead, it was one of the most basic of security fails: bad passwords. The incredibly simplistic, and in many cases default, username and password combination of admin/admin allowed anyone who happened across the site to log in to the employee portal.

veras krebs screenshot
Image Credit: KrebsOnSecurity

Shockingly this allowed you to view, edit, and delete usernames and passwords for over 100 Argentinian Equifax employees. In each case, the plaintext passwords were found to be the same as the employee’s username. If that wasn’t severe enough, there was an area of the site with 715 pages of detailed reports on each complaint or dispute logged with Equifax. This information included the DNI (the Argentine equivalent of the SSN) for more than 14,000 people — again, all in plaintext. Equifax swiftly took the site offline after being contacted by KrebsOnSecurity, and is currently investigating their latest security faux pas.

What Can You Do?

The first step is to use Equifax’s website to check if your data was affected by the breach How to Check If Your Data Was Stolen in the Equifax Breach How to Check If Your Data Was Stolen in the Equifax Breach News just surfaced of an Equifax data breach that affects up to 80 percent of all U.S. credit card users. Are you one of them? Here's how to check. Read More . However, as the results can be inconsistent it may be best to assume that you were affected. As the company has now clarified the language around it, sign up for their TrustedID Premier service. This will allow you to perform a credit freeze How to Prevent Identity Theft by Freezing Your Credit How to Prevent Identity Theft by Freezing Your Credit Your personal data has been compromised, but your identity not yet stolen. Is there anything you can do to mitigate your risks? Well, you could try freezing your credit -- here's how. Read More , and stop anyone opening credit in your name. Given the sensitive nature of the data lost in the leak, there is potential for scammers to peddle their wares, so stay vigilant against social engineering How To Protect Yourself From These 8 Social Engineering Attacks How To Protect Yourself From These 8 Social Engineering Attacks What social engineering techniques would a hacker use and how would you protect yourself from them? Let's take a look at some of the most common methods of attack. Read More and phishing scams How to Spot a Phishing Email How to Spot a Phishing Email Catching a phishing email is tough! Scammers pose as PayPal or Amazon, trying to steal your password and credit card information, are their deception is almost perfect. We show you how to spot the fraud. Read More .

In the wake of many data breaches, we would often advise you to change your passwords, start using a password manager How Password Managers Keep Your Passwords Safe How Password Managers Keep Your Passwords Safe Passwords that are hard to crack are also hard to remember. Want to be safe? You need a password manager. Here's how they work and how they keep you safe. Read More , sign up to HaveIBeenPwned Check Now and See If Your Passwords Have Ever Been Leaked Check Now and See If Your Passwords Have Ever Been Leaked This nifty tool lets you check any password to see if it's ever been part of a data leak. Read More , enable two-factor authentication What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More wherever possible, and improve your cyber hygiene Improve Your Cyber Hygiene in 5 Easy Steps Improve Your Cyber Hygiene in 5 Easy Steps In the digital world, "cyber hygiene" is as important as real-world personal hygiene. Regular system checks are needed, along with new, safer online habits. But how can you make these changes? Read More . While none of these will directly protect you against the Equifax leak, tightening your security will do you no harm. Perhaps given the circumstances it would even be worth going the extra mile and performing a full security checkup Protect Yourself With An Annual Security and Privacy Checkup Protect Yourself With An Annual Security and Privacy Checkup We're almost two months into the new year, but there's still time to make a positive resolution. Forget drinking less caffeine - we're talking about taking steps to safeguard online security and privacy. Read More .

Equihaxxed

The Equifax breach will most likely be the the standout security event in a year rampant with data breaches and ransomware attacks. As with other high-profile security events like WannaCry and the neverending stream of data leaks, there is a silver lining to be found in the astounding nature of the Equifax breach. By bringing the public’s attention to data security, credit reporting, and corporate malpractice there is an opportunity for these matters to be discussed and mitigated. The strong response of many U.S. Senators will hopefully ensure that this breach doesn’t disappear into the background. Equifax has at least conceded that some personnel changes are required — the Chief Information Officer and Chief Security Officer have “retired” as a result.

Despite its high profile and huge scope, there is still no information on who the attackers were. For their part, Equifax has remained entirely silent on the matter — in keeping with the rest of their poorly managed response. Just days after the breach was made public, a group emerged claiming to have the data and demanded a ransom of 600 Bitcoin. After researchers discovered the hosting service of the .onion site, it was promptly shut down.

Separately, a group calling themselves Equihax also claimed to be in possession of the data, but offered no verifiable proof. Given how potentially lucrative the data is, you can be certain that it won’t be long before the hackers do attempt to cash in.

Were you affected by the Equifax security breach? Do you think Equifax is to blame, and could they have done more to protect you? Let us know in the comments!

Image Credit: stevanovicigor/Depositphotos

Leave a Reply

Your email address will not be published. Required fields are marked *