A data breach at credit reporting bureau Equifax has exposed sensitive data on a staggering 143 million US consumers and evoked widespread concern about consequences for victims that could last for years.
The breach is already being described as potentially one of the most damaging ever with many holding it up as a reason for stricter security enforcement on organizations like Equifax that collect and hold extraordinary amounts of sensitive data.
In an alert Thursday, Equifax said intruders has exploited a website application vulnerability and accessed files containing names, Social Security Numbers, birth dates, and addresses belonging to what amounts to more than 40% of the US population. Also compromised in the intrusion, which lasted between mid-May and July 2017, were driver's license information belonging to an unspecified number of victims and credit card data for some 209,000 consumers.
Equifax said that so far, there is no evidence to show that its core consumer and commercial credit reporting databases were impacted in the breach.
As is standard with such notifications, the Equifax alert offered no details on the security failures that might have contributed to a breach of this magnitude. It merely noted that victims would receive one year's worth of free credit monitoring and directed them to a webpage where they could check if their data had been compromised and enroll for the monitoring.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax chairman and chief executive officer, Richard Smith said in the statement. "I apologize to consumers and our business customers for the concern and frustration this causes."
News of the breach sent Equifax's share price down by nearly 15% at one point from around $143 Thursday mid-day to $121.50 a day later, before recovering marginally Friday afternoon.
The disclosure also evoked widespread criticism from many across the security industry.
"This breach hits home because its impact could potentially be on half of [the] adult population in the U.S.," says Jess Parnell, director of information security, at Centripetal Networks. "Unless you are off the grid entirely and don't use money or credit cards, Equifax probably has your information and you are at risk."
All kinds of institutions including banks, hospitals, mobile phone providers, insurance companies and utilities use the kind of personal data that was breached in the Equifax incident to authenticate consumer identities for daily transactions, says Brian Vecci, technical evangelist at Varonis.
"Credit bureaus have to gather and keep the most sensitive digital information many people have," he says. "They have to be held to the absolute highest standards of security," he says while predicting the breach will have a cascading effect on other organizations for years to come.
Adam Meyer, chief security strategist at SurfWatch Labs too worries that the breach could have an impact on the credit-based identity authentication schemes that many organizations employ to combat their own forms of fraud.
These are the authentication mechanisms where users are sometimes asked information from their credit files that only they would know, such as past addresses, recent loans and credit applications. Many government agencies and organizations use such mechanisms to support employment verification, social services verification and other application. "The strength in this authentication is the fact that only the user should know this information when challenged," he says. Depending on the full scope of the Equifax breach, that assurance may now be gone, opening up the gates to new kinds of fraud.
In the absence of any details from Equifax, security executives have offered several theories on what might have happened. Many see the intrusion as yet another example of failure by a company to adhere to proper application security standards and practices.
Over the years, analysts have routinely warned about the need for organizations to address the substantial and growing number of vulnerabilities present in the web applications they use.
Organizations such as Open Web Application Security Project (OWASP) and the SANS Institute have for years highlighted the most prevalent security flaws in web applications in the hopes of getting organizations to close them. Numerous application security practices have emerged in recent times, to help organizations prevent, detect, and fix vulnerabilities in their application stack from the code development stage through the use lifecycle.
The Equifax breach, to many, is another example of even organizations that are supposed to know better, just not applying such practices robustly enough.
This is not the first time that one of the three credit bureaus has experienced a breach. In 2015, an internal server compromise at Experian exposed names, SSNs, birth dates and other information belonging to 15 million people who had applied for financing with T-Mobile USA.
Some see the sheer scope of the latest breach, and the apparent security failure that led to it, as enough reasons why Equifax should be made an example of and forced out of business. "There is no reason to have three credit bureaus that want to seem quasi-governmental when it is convenient, and for profit when it isn't," says Hank Thomas, partner and COO at Strategic Cyber Ventures.
"If they are going to be entrusted with our most sensitive data, essentially without our direct permission, all of the credit bureaus should be forced to have world-class security programs," Thomas says.
Jeremiah Grossman, chief of security strategy at SentinelOne, says breaches like this highlight how consumers are at the mercy of third-party data brokers.
"There are potentially thousands of organizations—large and small—who are custodians of our personal information, who we are not customers of, who we have no control over, may not even know exist, and where we have limited recourse — when they get hacked."
Very few breaches in recent years have resulted from an exploit or attack technique that wasn't known before and should have been protected against. But many organizations are just not incentivized enough to make changes because there has been little fear of financial liability, he says. "To correct the situation, we’re going to need a combination of government assistance and a change in our social norms."
What is needed are unified breach disclosure requirements, financial liabilities for data breaches and warranties from vendors guaranteeing the security of their products. "These would be powerful and crucial levers to counteract the unnecessary and routine nature of data breaches," Grossman says.
- Experian Gets Hacked, Exposing SSNs, Data From 15 Million T-Mobile Customers
- $12B in Fraud Loss Came from Data Breach Victims in 2016
- Experian uses alternative data to help verify international identities
- The 7 Most Significant Government Data Breaches