Considered one of the worst data breaches in history, the credit reporting agency Equifax announced last Thursday that hackers stole records containing personal information that could affect roughly half the American population. In its Sept. 7th statement, Equifax said that consumer information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances driver’s license numbers as well as credit card numbers for approximately 209, 000 consumers.
Equifax is one of the three largest companies that track credit histories of everybody who takes out a loan or signs up a credit card, creating proprietary “scores” that help lenders evaluate a potential borrower’s ability to pay. The information accessed is the same information that large companies use in combination to authenticate customers identities when calling customer service or logging into their account.
Once in the hands of cyberthieves, your social security in combination with other personal data, can be used to impersonate you to apply for loans, housing, utilities and even government benefits. Or worse, the Equifax hackers might sell the data on the open market who will use it for nefarious purposes.
Little of the technical details are known about the breach. We do know that the hackers behind the attack exploited a in the open-source software programming framework for building web applications in Java called Apache Struts to gain access to certain files.
Specifically, the vulnerability is related to mishandling of file upload, allowing attacker to execute code remotely by crafting the Content-Type HTTP header of the request. Such remote code execution capability can then be used for malicious purposes such as infecting computers with ransomware or other types of malware.
While the investigation into the breach is ongoing, Equifax said it has found no evidence to date of any unauthorized activity on the company’s core consumer or commercial credit reporting databases.1
Additional questions about the breach have yet been answered. Why were web applications tied to so much sensitive consumer data left unpatched? Was the data stolen acquired in encrypted form? If the data was encrypted, then where was the decryption key taken from and how? Was the data accessed while in rest, or intercepted in transit?
As vulnerabilities are exploited every day, additional safeguards should be in place on the data layer in order to ensure that all sensitive data is being encrypted end-to-end.
The scope of this breach raises serious questions about how large companies are addressing digital security in the first place and how enterprises will approach data protection such that they will have fewer incentives to collect and store large, centralized sets of highly sensitive data that can easily be exploited.
We will update this blog as more information about the breach is made available.