Description of the Breach
An estimated 143,000,000 individuals were exposed to identity theft in the recent data breach of Equifax, one of the three major credit reporting agencies in the United States. Social Security numbers, birth dates, addresses, and drivers licenses numbers were exposed. Credit card numbers for approximately 209,000 people were also compromised, in addition to personal information of clients in Canada and the UK.
Equifax disclosed the breach on September 7th, 2017. They have not disclosed the specific date of entry and initial infiltration of their systems, but they have acknowledged that hackers were in their network from around mid-May to July. Equifax says they discovered the breach on July 29, 2017, five weeks before they notified the public. There are also reports that an additional breach of their systems occurred in March, which was not disclosed. The SEC issued guidelines in October of 2011, advising companies of their obligation to disclose incidents, but they did not specify how long a company has to disclose the information after discovery.
Equifax has been found to still have lax security in place. KrebsOnSecurity has reported that Veraz, an “online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country”, was vulnerable to attack. A US based security firm discovered that the password combination, “admin/admin”, granted them administrative access to the application. They were then able to access the record of over 14,000 credit dispute forms, containing DNI numbers, the Argentinian equivalent of a Social Security Number, and other personally identifiable information of those who filed these disputes. The User ID/password information for more than 100 employees was also available. Once authenticated with the “admin/admin” user account, the user could modify, add, or delete accounts in this system. Equifax was notified of these vulnerabilities on September 17, 2017 and proceeded disable the Veraz portal the same day. Equifax has operations in several other nations in this region, including Brazil, Chile, Ecuador, Paraguay, Peru and Uruguay. At this time, it is unclear if the lax security in Argentina, is indicative of the situation in their other South American operations.
Equifax has has set up a website (equifaxsecurity2017.com) to help keep the public informed about this incident. This site contains a link to a site that will allow individuals to check whether their information was compromised. This site requires you enter the last six digits of your social security number and last name, in order to verify one’s identity. It has been reported by ZDNet that this site also has known vulnerabilities, making it possible for attackers to spoof the site and potentially steal users information. So, please take caution.
*If your information has been compromised, you should receive written notification, at the last known address, in your credit file.*
Steps to take to protect yourself.
1) Monitor your credit file: It is strongly advised that you monitor your credit report, on a regular basis. The FCRA obligates credit reporting agencies to furnish a copy of your credit report, free of charge, once per year, upon request. This can be requested online, at AnnualCreditReport.com. The FCRA also entitles you to a copy of your credit report, if you were denied credit, or the victim of identity theft.
Review the transactions on your credit cards and bank accounts regularly and report any misuse to your financial institution immediately. If you bank online, you may be able to setup email or text alerts on your account using your banking portal to let you know when there is activity. Check with your financial institution to find out more.
2) Enroll in credit monitoring: There are many reputable organizations that offer credit monitoring services. These companies will notify you of any changes to your credit report, enabling you to take action quickly, when you notice something in error. As a result of this breach, Equifax is offering one year of free credit monitoring, provided by their subsidiary TrustedID Premier, regardless of if you were affected by the breach. The original terms of service for accepting this “free” service, contained a clause stating that you agree to arbitration for any legal dispute surrounding your use of the Equifax Trusted ID Premier brand of product. Equifax has since updated the terms of service to remove this clause and has issued a statement to clarify that this clauses would not apply to this incident.
3) Place a freeze on your credit: One can place a temporary “freeze” on their credit. While this freeze is in place, any creditors who receive a request to issue new credit are supposed to contact you, using a method you provide when placing the freeze, before approving any new account. Though, there is no legal obligation for the creditor to abide by this process. This freeze typically last for 90 days, but can be renewed. There is a fee, which can be waived, if you are a victim of an identity theft crime.
As a result of this breach, Equifax is waiving the fees for placing a freeze on one’s credit, through November 21, 2017.
4) Place a fraud alert on your credit: Setup a fraud alert through the credit bureaus. A fraud alert is different than a credit freeze and allows creditors to get a copy of your credit report as long as they take steps to verify your identity. Fraud alerts may be effective at stopping someone from opening new credit accounts in your name, but they may not prevent the misuse of your existing accounts. You still need to monitor all bank, credit card and insurance statements for fraudulent transactions. There are three types of fraud alerts available:
- Initial fraud alerts, for people concerned about identity theft but have not yet been victimized, last for at least 90 days and protect your credit from unverified access.
- Extended fraud alerts, for victims of identity theft, protect your credit for seven years.
- Active Duty Military Alert, for military members wanting to protect their credit while deployed, last for one year.
You only have to contact one of the credit reporting companies (Equifax, Trans Union, or Experian) to put a fraud alert on your credit. The one you contact will contact the others and they, in turn, will place a fraud alert on your report. Fraud alerts are free.
You can find more information on protecting your identity, what to do if your personal information is potentially compromised, and what to do if your identity has been stolen at:
https://www.annualcreditreport.com/protectYourIdentity.action and https://www.identitytheft.gov/.
Method of Exploitation
Equifax failed to patch a known web application server vulnerability (CVE-2017-5638) in an Apache Struts 2 application. The patch for this vulnerability was released on March 6, 2017. Apache Struts is an open-source, MVC framework, used by enterprises to develop custom Java web applications. For a more in-depth review of what is currently known about the methods of infiltration, we recommend reading the article “Equifax Confirms Hackers Used Apache Struts Vulnerability to Breach Its Servers“, published by BleepingComputer.com