On a quiet afternoon in early September 2017, Equifax disclosed an extraordinary security breach that was estimated to have affected almost 200 million people worldwide. Given that the company had first discovered the breach in July, that should have provided ample time to prepare for a response and solution for all affected individuals. Instead, Equifax proceeded to provide the world with a perfect example of how not to handle a major security breach.
From the enormous scope of the data leak, confusing legalese, and hideously insecure response websites, Equifax had it all. Add in allegations of insider trading, poor communication, a 30 percent drop in stock value, alongside further data leaks, and the company seemed to have set itself up for a dramatic fall from grace. Well, as much grace as a credit reporting agency you never explicitly agreed to hand your sensitive data to can have.
Equifax’s first statement on the breach said that up to 144 million Americans may have had their credit information compromised. This included names, addresses, Social Security numbers (SSNs), birth dates, and financial records. The company also reported that credit card numbers for 209,000 U.S. consumers were included in the breach. Furthermore, dispute records with personally identifying information for 189,000 individuals have been leaked.
Initial reports in the media referred to impacted individuals as Equifax’s customers. However, you aren’t really a customer of Equifax, Experian, TransUnion, or any other credit reporting agency. These agencies collect data from a number of different services and financial product providers. Data is then used to generate your Credit Score, enabling a lender to assess the risk you pose. Applying for a loan, credit card or mortgage? This is how the decision is made.
Impact Assessment and TrustedID Premier
To compensate you for losing the data of nearly half the U.S. adult population, Equifax set up a website, equifaxsecurity2017.com. Here, you’re able to enter your name and partial SSN and find out if your details were among those leaked. Additionally, you could enroll in their service, TrustedID Premier. This is a three bureau credit report and SSN monitoring tool, complementary to US consumers for a year.
Yet in their initial disclosure, and for a week after, Equifax was remarkably silent on the details. The attack type, the culprit, and why it was able to continue for so long, without detection, remained a secret.
This led many to suspect that there was culpability on Equifax’s side. Six days later, and after immense public outcry and interventions from a bipartisan group of Senators, Equifax finally admitted that the attack used a known Apache Strut exploit (CVE-2017-5638) — a patch for which was released in March 2017, two months before the Equifax breach. This proved that, just as with WannaCry earlier in the year, not updating your software can have devastating consequences.
Not Just U.S. Consumers
Although not disclosed from the outset, Equifax was forced to admit that the information for a “limited number” of U.K. and Canadian residents was also included in the breach. Up to 44 million U.K. consumers may not even have been aware that the U.S. credit agency had their data. However, it was provided to them by companies including BT, British Gas, and Capital One. The credit agency’s U.K. arm announced early evening on Friday September 15th that 400,000 U.K. residents were affected. This suspected attempt to bury the news revealed a “process failure” which lasted half a decade. Yet no guidance to U.K. or Canadian residents has been offered.
Equifax’s Website Woes
For reasons that have yet to be explained, Equifax launched a separate website for their response to the breach. Given that the site was set up in response to a major security breach, you would imagine every precaution would have been taken to ensure the site was a shining beacon of stability. Instead, the large volume of American consumers wishing to check their information overwhelmed them. This left many unable to access the site, or to load the results of their impact assessment.
— Nick Frichette (@Frichette_n) September 8, 2017
Even then, the numbers visiting the site may have been larger had it not been for poor website configuration. In most people’s book, an off-domain website with questionable keywords would appear to be a phishing scam. OpenDNS seemed to agree, and blocked access to the website for many users. To heighten the sense of irony, to complete your assessment you must enter the last six digits of your SSN. This is the same data that Equifax has already proved they can’t protect!
Within hours of the site launching, there were reports that you couldn’t even trust the results of their impact assessment. Entering the same details multiple times would give differing answers as to whether you were affected. Some people even tried entering knowingly false information. Worryingly, they found that Equifax would tell the non-existent person that their data had been leaked.
So to Equifax. My boss just entered a fake name with his 9 year old son's social security number and the site said he was affected.
— G.?? (@oh_sovivacious) September 8, 2017
If you were willing to accept that your data had in fact been compromised in the breach, Equifax greeted you with a vague statement about the breach and encouraged you to enrol in TrustedID Premier. Given that Equifax was the source of the breach, it seems in poor taste that they would encourage you to sign up to a free trial of their own a fraud protection service.
OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.
— Tony Webster (@webster) September 9, 2017
Those that signed up for TrustedID Premier were able to perform a credit freeze, and provided with a confirmation PIN. However, the PIN appeared to be a timestamp of when the freeze was performed. This would render the PIN useless — it could easily be guessed, allowing anyone to unlock your credit freeze. Despite initial denials, Equifax later said they were transitioning to a new method that would randomize PIN generation. Additionally, they would allow consumers to request a new PIN to be sent to their registered mailing address.
The Legalese Debacle
When Equifax first launched the equifaxsecurity2017 website, the Terms of Service for TrustedID Premier seemed to imply that be using the service, you were waiving your right to participate in any class action lawsuit against the company in the future. The uproar at this perceived injustice made Equifax issue an update the next day. They have now stated that the arbitration clause was not applicable to the security breach.
Equifax is offering monitoring & identity theft protection pkg but in fine print, an arbitration clause & class action waiver 1/3 pic.twitter.com/8F58B5qh4w
— Rhana Natour (@RNatourious) September 8, 2017
Taken to Task
In a move that Equifax claims to be total coincidence, just two days after they first discovered the breach, three senior executives sold stock totalling $1.8 million. This significant sale was just days after discovering the breach, but over a month before they publically disclosed it. If the individuals did have knowledge of the security breach, then they would be in contravention of insider trading laws. Knowingly or otherwise, their timely sale was fortunate. At time of writing, Equifax’s stock has fallen 30 percent since disclosure of the breach.
Bipartisan group of 36 senators sends letter to SEC, DOJ, and FTC urging an investigation into Equifax stock sales following data breach. pic.twitter.com/xEApcjFFkP
— Kyle Griffin (@kylegriffin1) September 13, 2017
Given the highly sensitive nature of the breach, many affected individuals are understandably critical of Equifax’s apparent lax security. For example, USA Today reported that in the few days following the disclosure, 23 lawsuits were filed in 14 states against the credit reporting agency. As reported by Bloomberg, a class action lawsuit filed in Oregon is seeking damages of up to $7 billion. Even if the court were to award such a large sum, it equates to just under $500 per person. Does this seem enough to compensate for the lifetime risk of identity theft?
Joshua Browder, the creator of the DoNotPay bot, expanded its functionality to simplify the process of applying to the small claims court for damages relating to the Equifax breach. This is admirable and goes a long way to making the often complex legal documentation easier to digest. However, some reports have claimed that the DoNotPay bot, originally developed for helping you fight parking fines, could automate the entire process. As TechCrunch notes, all the bot really does is help with the initial paperwork — you still have to fight the case in court.
An Ongoing Headache Around The World
If there was any doubt remaining as to Equifax’s poor security practices, then an example from Equifax’s Argentinian arm is likely to remove it entirely. First reported by KrebsOnSecurity, an online portal used by employees to settle credit disputes named Veraz (meaning truthful in Spanish) was found to be vulnerable. You may expect the vulnerability to be technical, but instead, it was one of the most basic of security fails: bad passwords. The incredibly simplistic, and in many cases default, username and password combination of admin/admin allowed anyone who happened across the site to log in to the employee portal.
Shockingly this allowed you to view, edit, and delete usernames and passwords for over 100 Argentinian Equifax employees. In each case, the plaintext passwords were found to be the same as the employee’s username. If that wasn’t severe enough, there was an area of the site with 715 pages of detailed reports on each complaint or dispute logged with Equifax. This information included the DNI (the Argentine equivalent of the SSN) for more than 14,000 people — again, all in plaintext. Equifax swiftly took the site offline after being contacted by KrebsOnSecurity, and is currently investigating their latest security faux pas.
What Can You Do?
The first step is to use Equifax’s website to check if your data was affected by the breach. However, as the results can be inconsistent it may be best to assume that you were affected. As the company has now clarified the language around it, sign up for their TrustedID Premier service. This will allow you to perform a credit freeze, and stop anyone opening credit in your name. Given the sensitive nature of the data lost in the leak, there is potential for scammers to peddle their wares, so stay vigilant against social engineering and phishing scams.
In the wake of many data breaches, we would often advise you to change your passwords, start using a password manager, sign up to HaveIBeenPwned, enable two-factor authentication wherever possible, and improve your cyber hygiene. While none of these will directly protect you against the Equifax leak, tightening your security will do you no harm. Perhaps given the circumstances it would even be worth going the extra mile and performing a full security checkup.
The Equifax breach will most likely be the the standout security event in a year rampant with data breaches and ransomware attacks. As with other high-profile security events like WannaCry and the neverending stream of data leaks, there is a silver lining to be found in the astounding nature of the Equifax breach. By bringing the public’s attention to data security, credit reporting, and corporate malpractice there is an opportunity for these matters to be discussed and mitigated. The strong response of many U.S. Senators will hopefully ensure that this breach doesn’t disappear into the background. Equifax has at least conceded that some personnel changes are required — the Chief Information Officer and Chief Security Officer have “retired” as a result.
Despite its high profile and huge scope, there is still no information on who the attackers were. For their part, Equifax has remained entirely silent on the matter — in keeping with the rest of their poorly managed response. Just days after the breach was made public, a group emerged claiming to have the data and demanded a ransom of 600 Bitcoin. After researchers discovered the hosting service of the .onion site, it was promptly shut down.
Separately, a group calling themselves Equihax also claimed to be in possession of the data, but offered no verifiable proof. Given how potentially lucrative the data is, you can be certain that it won’t be long before the hackers do attempt to cash in.
Were you affected by the Equifax security breach? Do you think Equifax is to blame, and could they have done more to protect you? Let us know in the comments!
Image Credit: stevanovicigor/Depositphotos