Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/8/2017
01:57 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Equifax Data Breach Prompts Calls For Tougher Security Requirements On Data Aggregators

Credit report bureau discloses breach that exposed data on 143 million US consumers.

A data breach at credit reporting bureau Equifax has exposed sensitive data on a staggering 143 million US consumers and evoked widespread concern about consequences for victims that could last for years.

The breach is already being described as potentially one of the most damaging ever with many holding it up as a reason for stricter security enforcement on organizations like Equifax that collect and hold extraordinary amounts of sensitive data.

In an alert Thursday, Equifax said intruders has exploited a website application vulnerability and accessed files containing names, Social Security Numbers, birth dates, and addresses belonging to what amounts to more than 40% of the US population. Also compromised in the intrusion, which lasted between mid-May and July 2017, were driver's license information belonging to an unspecified number of victims and credit card data for some 209,000 consumers.

Equifax said that so far, there is no evidence to show that its core consumer and commercial credit reporting databases were impacted in the breach.

As is standard with such notifications, the Equifax alert offered no details on the security failures that might have contributed to a breach of this magnitude. It merely noted that victims would receive one year's worth of free credit monitoring and directed them to a webpage where they could check if their data had been compromised and enroll for the monitoring.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax chairman and chief executive officer, Richard Smith said in the statement. "I apologize to consumers and our business customers for the concern and frustration this causes."

News of the breach sent Equifax's share price down by nearly 15% at one point from around $143 Thursday mid-day to $121.50 a day later, before recovering marginally Friday afternoon.

The disclosure also evoked widespread criticism from many across the security industry.

"This breach hits home because its impact could potentially be on half of [the] adult population in the U.S.," says Jess Parnell, director of information security, at Centripetal Networks. "Unless you are off the grid entirely and don't use money or credit cards, Equifax probably has your information and you are at risk."

All kinds of institutions including banks, hospitals, mobile phone providers, insurance companies and utilities use the kind of personal data that was breached in the Equifax incident to authenticate consumer identities for daily transactions, says Brian Vecci, technical evangelist at Varonis.

"Credit bureaus have to gather and keep the most sensitive digital information many people have," he says. "They have to be held to the absolute highest standards of security," he says while predicting the breach will have a cascading effect on other organizations for years to come.

Adam Meyer, chief security strategist at SurfWatch Labs too worries that the breach could have an impact on the credit-based identity authentication schemes that many organizations employ to combat their own forms of fraud.

These are the authentication mechanisms where users are sometimes asked information from their credit files that only they would know, such as past addresses, recent loans and credit applications. Many government agencies and organizations use such mechanisms to support employment verification, social services verification and other application. "The strength in this authentication is the fact that only the user should know this information when challenged," he says. Depending on the full scope of the Equifax breach, that assurance may now be gone, opening up the gates to new kinds of fraud.

In the absence of any details from Equifax, security executives have offered several theories on what might have happened. Many see the intrusion as yet another example of failure by a company to adhere to proper application security standards and practices.

Over the years, analysts have routinely warned about the need for organizations to address the substantial and growing number of vulnerabilities present in the web applications they use.

Organizations such as Open Web Application Security Project (OWASP) and the SANS Institute have for years highlighted the most prevalent security flaws in web applications in the hopes of getting organizations to close them. Numerous application security practices have emerged in recent times, to help organizations prevent, detect, and fix vulnerabilities in their application stack from the code development stage through the use lifecycle.

The Equifax breach, to many, is another example of even organizations that are supposed to know better, just not applying such practices robustly enough.

This is not the first time that one of the three credit bureaus has experienced a breach. In 2015, an internal server compromise at Experian exposed names, SSNs, birth dates and other information belonging to 15 million people who had applied for financing with T-Mobile USA.

Some see the sheer scope of the latest breach, and the apparent security failure that led to it, as enough reasons why Equifax should be made an example of and forced out of business. "There is no reason to have three credit bureaus that want to seem quasi-governmental when it is convenient, and for profit when it isn't," says Hank Thomas, partner and COO at Strategic Cyber Ventures.

"If they are going to be entrusted with our most sensitive data, essentially without our direct permission, all of the credit bureaus should be forced to have world-class security programs," Thomas says.

Jeremiah Grossman, chief of security strategy at SentinelOne, says breaches like this highlight how consumers are at the mercy of third-party data brokers.

"There are potentially thousands of organizations—large and small—who are custodians of our personal information, who we are not customers of, who we have no control over, may not even know exist, and where we have limited recourse — when they get hacked."

Very few breaches in recent years have resulted from an exploit or attack technique that wasn't known before and should have been protected against. But many organizations are just not incentivized enough to make changes because there has been little fear of financial liability, he says. "To correct the situation, we’re going to need a combination of government assistance and a change in our social norms."

What is needed are unified breach disclosure requirements, financial liabilities for data breaches and warranties from vendors guaranteeing the security of their products. "These would be powerful and crucial levers to counteract the unnecessary and routine nature of data breaches," Grossman says.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mattrjohnson21
50%
50%
mattrjohnson21,
User Rank: Apprentice
9/16/2017 | 6:12:53 PM
The Cybersecurity Battle - Time to Give Up?
Maybe it is time for a different approach for cybersecurity? See post on LinkedIn below.
https://www.linkedin.com/pulse/give-up-cybersecurity-programs-matthew-r-johnson-cpa-cisa/?trackingId=UbDoa%2BG4FpxaeSIyMQIzGg%3D%3D
lunny
50%
50%
lunny,
User Rank: Strategist
9/8/2017 | 3:13:45 PM
The End Game
Once data is released, there's no getting it back.  Unless something changes, more and more data will be released.  As analytics advances, much more data will be made knowable through inference (having "yellow" and "blue" allows you to infer "green" with great confidence).  We need to focus on how to make private data useless to thieves.  If someone who is not me cannot use my data to impersonate me, then I don't really care that it's out there.  Medical data and other types of personal information is on a different level.  It can be used to extort people who might be vulnerable to such criminal methods.  Part of our problem is that it's still too easy to impersonate someone else with a little bit of their data.  That's the core problem we really aren't addressing.  At some point, we run out of fingers to put in the dike.
cybersavior
100%
0%
cybersavior,
User Rank: Strategist
9/8/2017 | 2:58:12 PM
Dispicable and probably criminal
Equifax is dispicable to include an arbitration clause in the sign-up acknowledgement as a prerequisite in front of the free credit monitoring offering.  That consent waives a consumers right to class action.

The EFX stock sales by company officers following the breach (some $1.8M) should be investgated by the SEC, too.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...