Jump to content

Equifax Hack Exposes 143 Million


Recommended Posts

Equifax, a provider of consumer credit reports, said it experienced a data breach affecting as many as 143 million US people after criminals exploited a vulnerability on its website. The US population is about 324 million people, so that's about 44 percent of its population.


The data exposed in the hack includes names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. The hackers also accessed credit card numbers for 209,000 US consumers and dispute documents with personal identifying information for about 182,000 US people. Limited personal information for an unknown number of Canadian and UK residents was also exposed. Equifax—which also provides credit monitoring services for people whose personal information is exposed—said the unauthorized access occurred from mid-May through July. Equifax officials discovered the hack on July 29.


"Criminals exploited a US website application vulnerability to gain access to certain files," Equifax said in a statement late Thursday, without elaborating. That leaves open a wide range of possibilities, with injection bugs, faulty authentication mechanisms, and cross-site scripting vulnerabilities topping the list of the most widely exploited website flaws.


This isn't the first time a garden-variety website flaw has been exploited to obtain a massive amount of sensitive data. Associates of Albert Gonzalez, a convicted hacker who was sentenced to 11 years in federal prison, exploited a SQL-injection flaw that helped them obtain data for 130 million credit cards. On Wednesday, exploit code for a nine-year-old code-execution vulnerability in Apache Struts 2—a software framework used by many large financial service websites—went public, but there was no immediate indication that the Equifax site uses it.

Celebrity credit reports posted by ID thieves taken from free websiteThis isn't the first time Equifax has been involved in a breach that exposed sensitive consumer data. In 2013, the company confirmed that the personal details for famous people—including US Vice President Joe Biden, FBI Director Robert Mueller, Attorney General Eric Holder, and rap star Jay Z—were exposed on annualcreditreport.com, a site that allows consumers to monitor their credit reports. Lax security on the site allowed people to gain unauthorized access to other people's reports by supplying their previous addresses, mortgages, outstanding loans, and other details that are often widely known.


People who want to know if their data was exposed can enter their last name and the last six digits of their Social Security number on this page. Unfortunately, the responses to those queries are extremely opaque. Another major shortcoming: the site is hosted on a third-party domain that's protected by a TLS certificate that returns wasn't being properly checked for revocation at the time this post was being written. On Thursday, Equifax offered to provide free credit monitoring for people affected by the latest breach.


Link to comment
Share on other sites

  • Replies 6
  • Views 977
  • Created
  • Last Reply

Equifax says hack potentially exposed details of 143 million consumers


(Reuters) - Equifax Inc, a provider of consumer credit scores, said personal details of as many as 143 million U.S. consumers were accessed by hackers between mid-May and July, in what could be one of the largest data breaches in the United States.


The company’s shares were down 8.7 percent at $134.16 in after-market trading on Thursday.

The details accessed included names, social security numbers, and, in some cases, driver’s license numbers, Equifax said.


In addition, credit card numbers of around 209,000 U.S. consumers and certain dispute documents with personal identifying information of around 182,000 U.S. consumers were accessed, the company said.


“The sheer scope of the breach is extremely troubling,” said Ryan Kalember, senior vice president of the cyber-security firm Proofpoint Inc.


Equifax also said personal information of certain UK and Canadian residents were also hacked.


The company said it was working with law enforcement agencies and had hired a cyber-security firm to investigate.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Chief Executive Richard Smith said in a statement.


Atlanta-based Equifax tracks consumer history and credit card scores for borrowers and lenders. The company also helps consumers manage and protect their personal information.


“On a scale of 1 to 10, this is a 10. It affects the whole credit reporting system in the United States because nobody can recover it, everyone uses the same data,” Avivah Litan, a Gartner Inc analyst who tracks identity theft and fraud, told Reuters.


More at  Source


Link to comment
Share on other sites

A bit on how they did it, from Woody...

Looks like the bad guys may have broken into Equifax using a known hole in Apache Struts

Apache Struts is an open-source package that runs on servers to help Java web developers. Translation: If you don’t understand, you don’t need to worry about it.



Apache Struts is very common around the web. Last week, Bas van Schaik on the lgtm blog said:

Analyst Fintan Ryan at RedMonk estimates that at least 65% of the Fortune 100 companies are actively using web applications built with the Struts framework. Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework.

Struts has been patched, and versions 2.3.34 and 2.5.13 don’t have the problem.


Keith Collins on the Quartz blog explains that it isn’t clear if the Equifax hack took advantage of a bug disclosed in March, or one divulged in September.


Dan Goodin, in an Ars Technica post from late last week, has details from a programming point of view.


Source: Looks like the bad guys may have broken into Equifax using a known hole in Apache Struts (AskWoody - Woody Leonhard)

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...