Thought leadership. threat analysis, news and alerts.
Equifax Says Cyber Attack May Expose Data of 143 Million Customers
Equifax, one of the top consumer credit reporting agencies in the US, UK and Canada, publicly acknowledged that it was a victim of a cyber attack that may have exposed data of 143 million US customers – almost half of the total population of the US.
The consumer credit reporting agency added that hackers have gained access to limited personal information for certain Canadian and UK customers. The agency further revealed that credit card numbers of close to 209,000 US customers and certain dispute documents with personal identifying information for nearly 182,000 US costumers were accessed by cyber criminals.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Richard F. Smith, Chairman and Chief Executive Officer of Equifax, said in a statement.
While this recent Equifax data breach isn’t the biggest data breach on record – the Yahoo data breach affected one billion customers, this recent Equifax data breach may be the worse in terms of severity.
“On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” Avivah Litan, a fraud analyst at Gartner told the New York Times.
Aside from credit card numbers, personal identifying information such as names, Social Security numbers, birth dates, addresses and driver’s license numbers were harvested by the hackers in the recent Equifax cyber attack. According to Equifax, cyber criminals gained access to the sensitive files of its customers from mid-May 2017 to July 2017. The company said it discovered the data breach only on July 29 of this year.
The May 2017-July 2017 cyber attack wasn’t the only data breach that Equifax experienced. The company has experienced two other data breaches prior to this incident in the past two years.
Another data breach incident occurred on the website of TALX – a wholly owned subsidiary of Equifax – between the period of April 17, 2016 to March 29, 2017. Hackers harvested W-2 tax forms of the employees of corporate clients of TALX. On May 15 of this year, the Counsel for TALX Corporation, informed the Attorney General of New Hampshire about the data breach incident. TALX offers payroll-related services for companies.
Another data breach incident happened on W-2 Express website, a site owned and managed by Equifax. Hackers again stole W-2 tax forms of the employees of corporate clients of Equifax, including Kroger (the second largest private employer in the US with 443,000 employees) and Stanford University. Between May 2016 to April 2016 Kroger and Stanford informed their current and former employers that they may be vulnerable to tax fraud after hackers downloaded W-2 tax forms from Equifax’s W-2 Express website.
W-2 tax forms are used by cyber criminals to file fraudulent tax refunds before the US Internal Revenue Service (IRS). According to the US Department of Treasury (PDF), the US Government issued refunds worth $490 million on 63,000 fraudulent tax returns.
Causes of Data Breaches
1. W-2 Express Data Breach
Based on a letter sent by Kroger to its employee, as reported by Krebs on Security, hackers gained access to Equifax’s W-2 Express website by using two default log-in information: Social Security number and date of birth.
A default login using Social Security number and date of birth is a dangerous practice as many customers don’t change this default login. The use of Social Security number and date of birth as login details are also considered as security risk as many data breaches in the past have already gotten hold of these two personally identifiable information.
2. TALX Data Breach
According to TALX, cyber criminals gained access to the website of TALX and harvested W-2 tax forms of customers by successfully answering personal questions used to reset “PlNs” or passwords to access the website.
“Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected,” TALX said.
A PIN or one password authentication is an outdated and insecure cyber security measure. A two-factor authentication is a better option, such as one-time tokens sent to a mobile device or email address.
3. The 143-Million Data Breach
For the recent data breach, Equifax said that hackers gained access to millions of its customers’ sensitive data by exploiting its US “website application vulnerability”. The company didn’t name the specific vulnerability.
According to a New York Times article, Equifax was criticized for not learning from past data breaches and for failing to stop thieves “to get the company’s crown jewels through a simple website vulnerability.”
Equifax could have put in place multi-layered cyber security defense system on its website so that when hackers manage to break into one layer of defense, it could be stopped by other subsequent defense systems.
“We may think one layer of security will protect us – for example, antivirus. Unfortunately for that approach, history has proven that, although single-focus solutions are useful in stopping specific attacks, the capabilities of advanced malware are so broad that such protections inevitably fail,” SANS in its whitepaper "Layered Security: Why It Works" said. “Organizations operating in the digital world today need layers of security ...."
The consumer credit reporting giant is currently under scrutiny after three of its managers sold their Equifax shares days after the major data breach at the company was discovered.
According to Bloomberg, Chief Financial Officer John Gamble sold shares worth $946,374; president of US information solutions Joseph Loughran exercised options to dispose of stock worth $584,099; and president of workforce solutions Rodolfo Ploder sold $250,458 worth of stock on August 2 of this year – four days after the data breach discovery.
Just hours after the official data breach announcement, Equifax shares tumbled 13%, this according to Bloomberg.
Steve E. Driz, I.S.P., ITCP