Equifax is one of the largest credit reporting agencies in America, which makes an announcement the company just issued particularly disconcerting. An authorized third party gained access to Equifax data on as many as 143 million Americans. That's nearly half the population of the United States as of the last census.
Equifax announced the incident this afternoon. According to the report, the breach was discovered on July 29th. Included among files accessed by hackers was a treasure trove of personal data: names, dates of birth, Social Security numbers, addresses.
In some cases -- Equifax states around 209,000 -- the records also included actual credit card numbers. Documentation about disputed charges was also leaked. Those documents contained additional personal information on around 182,000 Americans.
So how did hackers gain access to the Equifax data? By exploiting a vulnerability on one of the company's U.S.-based web servers. On the surface, at least, that seems to indicate that one of the three major U.S. credit bureaus was victimized by a relatively unsophisticated attack.
Alex Heid, chief security researcher at SecurityScorecard has seen this before. "As surprising as it seems, the same web application vulnerabilities from decades ago are still some of primary vectors that are leveraged by hackers in modern attack scenarios," he said in a comment to Forbes. Heid added that "it seems that the underlying legacy codebase that handled the [Equifax] web application was vulnerable enough for an attacker to exploit."
Personal data like this is a major score for cybercriminals who will likely look to capitalize on it any way they can. One of those ways is by selling off bits like SSNs and drivers' licenses -- which can fetch as much as $20 a piece, according to Patrick Tiquet, Director of Security & Architecture at Keeper Security. And even though Social Security numbers sell for just 1/20th that price, multiply that by 143 million and the attackers could be looking at a major payday.
Another way they may try to profit is by launching targeted phishing campaigns. Noted security researcher Kenneth White believes that "Based on the disclosure, the impact of this could be as far-reaching as the OPM breach." The OPM -- Office of Personnel Management -- fell victim to a hack in June of 2015. Months later, ransomware criminals used the 22 million stolen email addresses to launch a large-scale attack.
The July breach is not the first the company has had to deal with. Earlier this year its TALX payroll group was victimized by hackers. Equifax also isn't the only U.S. credit bureau to be successfully attacked. Experian, the second of the three major bureaus, saw hackers gain unauthorized access to data on 15 million Americans in 2015.
It all paints a pretty grim picture of security at the credit bureaus. Noted researcher Brian Krebs feels that the bureaus "have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers."
That oversight could well be coming. Senator Mark Warner, who leads the Senate Cybersecurity Caucus, is extremely concerned about the Equifax breach. It is no exaggeration to suggest that a breach such as this," he said in a statement, "exposing highly sensitive personal and financial information central for identity management and access to credit– represents a real threat to the economic security of Americans.”
Warner also mentioned the need to "create a uniform data breach notification standard" and "rethink data protection policies."
For its part, Equifax disclosed the breach quickly and was quick to point out that its "core consumer and commercial credit reporting databases" were not accessed. The roughly 400,000 individuals whose credit card numbers or dispute data were accessed will be notified directly by mail.
The company has created a dedicated website to educate those impacted about the risks, and a call center is open from 7am to 1am Eastern to answer questions. Equifax will also be providing free credit monitoring services for all those affected -- you may need to try a few times to complete the registration process as servers have been overwhelmed with requests thus far.
~ Forbes; Lee Mathews