All data breaches are bad, but this past Thursday the United States was shook by one of the biggest breaches the world has ever seen. Equifax, a credit monitoring company, disclosed that the breach of its system exposed the Social Security Numbers, driver’s licenses, phone numbers, birthdays and addresses of as many as 143 million Americans.
Update 12.09.2017 —
The Equifax data breach is said to have been done through the exploitation of a vulnerability found in an open-source software called Apache Struts. You can read Struts’ blog post on the topic here.
Released in May 2000, Struts is an action based open-source Model View Controller (MVC) framework used for developing Java EE web applications. Struts was donated by its creator to the Apache foundation with the goal of being the separation of the model (the app logic which interacts with a database) from the view (client-side HTML pages) and the controller.
- To learn more about the Java programming language, its security vulnerabilities, and Apache Struts – click here
Equifax is one of only three credit-reporting agencies that monitor, track, and rate the financial history of customers in the United States. The company works with banks, credit card companies, retailers and more to get the customer data, which it then tracks. Therefore, it’s safe to say that Equifax has an extraordinary amount of personal and financial information on basically every American adult.
On the 7th of September, Equifax revealed that it discovered a data breach on the 29th of July, and it may have impacted around 143 million consumers in the United States and a small number of citizens in the United Kingdom and Canada.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and CEO Richard F. Smith in a statement and video message which you can watch in full here.
According to the company, hackers got their hands on data from May to July of this year, by leveraging an “unspecified” vulnerability in the web application to gain access to certain files. The company did not reveal which application was the source of the breach. There is much speculation in the security community as experts are trying to figure out what vulnerability was exploited, and many have reached the conclusion that regardless of the vulnerability, most of the potential vulnerabilities don’t require much sophistication to exploit.
In addition to the very sensitive personal data, over 180,000 “dispute documents” (or ‘complaint submissions’, containing personal data) were also compromised in the breach. As mentioned in an article on Wired, this part of the breached data may hint that “vulnerable web app was related to a customer submission service or a server that hosted databases including customer feedback logs.”
Equifax has not revealed who was behind the attack, but that the law enforcement is involved.
This breach is one that some “financial experts believe will leave millions of Americans at risk of identify theft for the rest of their lives.” (source), and thanks to that Social Security numbers were stolen, an estimated 44% of the US population will feel the effect of this breach for years to come.
In response to this breach, Equifax launched a website – www.equifaxsecurity2017.com – where you can check whether or not you are one of the 143 million people whose data may have been stolen. However, as of publishing this blog post, the website doesn’t give a clear and simple “yes” or “no” answer and does not offer advice of tips on what you can do next. Equifax is also offering a year of free identity theft insurance and credit monitoring for US residents.
To learn more about what you can do to protect yourself, the web is filled with great guides filled with steps you can take.
Latest posts by Arden Rubens (see all)
- Uses CxSAST to Develop Secure Software - May 17, 2018
- CxSAST for Amazon Web Services - May 15, 2018
- Amazon’s Alexa could be tricked into snooping on users, say security researchers - May 7, 2018