Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:57 PM
Connect Directly

Equifax Data Breach Prompts Calls For Tougher Security Requirements On Data Aggregators

Credit report bureau discloses breach that exposed data on 143 million US consumers.

A data breach at credit reporting bureau Equifax has exposed sensitive data on a staggering 143 million US consumers and evoked widespread concern about consequences for victims that could last for years.

The breach is already being described as potentially one of the most damaging ever with many holding it up as a reason for stricter security enforcement on organizations like Equifax that collect and hold extraordinary amounts of sensitive data.

In an alert Thursday, Equifax said intruders has exploited a website application vulnerability and accessed files containing names, Social Security Numbers, birth dates, and addresses belonging to what amounts to more than 40% of the US population. Also compromised in the intrusion, which lasted between mid-May and July 2017, were driver's license information belonging to an unspecified number of victims and credit card data for some 209,000 consumers.

Equifax said that so far, there is no evidence to show that its core consumer and commercial credit reporting databases were impacted in the breach.

As is standard with such notifications, the Equifax alert offered no details on the security failures that might have contributed to a breach of this magnitude. It merely noted that victims would receive one year's worth of free credit monitoring and directed them to a webpage where they could check if their data had been compromised and enroll for the monitoring.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax chairman and chief executive officer, Richard Smith said in the statement. "I apologize to consumers and our business customers for the concern and frustration this causes."

News of the breach sent Equifax's share price down by nearly 15% at one point from around $143 Thursday mid-day to $121.50 a day later, before recovering marginally Friday afternoon.

The disclosure also evoked widespread criticism from many across the security industry.

"This breach hits home because its impact could potentially be on half of [the] adult population in the U.S.," says Jess Parnell, director of information security, at Centripetal Networks. "Unless you are off the grid entirely and don't use money or credit cards, Equifax probably has your information and you are at risk."

All kinds of institutions including banks, hospitals, mobile phone providers, insurance companies and utilities use the kind of personal data that was breached in the Equifax incident to authenticate consumer identities for daily transactions, says Brian Vecci, technical evangelist at Varonis.

"Credit bureaus have to gather and keep the most sensitive digital information many people have," he says. "They have to be held to the absolute highest standards of security," he says while predicting the breach will have a cascading effect on other organizations for years to come.

Adam Meyer, chief security strategist at SurfWatch Labs too worries that the breach could have an impact on the credit-based identity authentication schemes that many organizations employ to combat their own forms of fraud.

These are the authentication mechanisms where users are sometimes asked information from their credit files that only they would know, such as past addresses, recent loans and credit applications. Many government agencies and organizations use such mechanisms to support employment verification, social services verification and other application. "The strength in this authentication is the fact that only the user should know this information when challenged," he says. Depending on the full scope of the Equifax breach, that assurance may now be gone, opening up the gates to new kinds of fraud.

In the absence of any details from Equifax, security executives have offered several theories on what might have happened. Many see the intrusion as yet another example of failure by a company to adhere to proper application security standards and practices.

Over the years, analysts have routinely warned about the need for organizations to address the substantial and growing number of vulnerabilities present in the web applications they use.

Organizations such as Open Web Application Security Project (OWASP) and the SANS Institute have for years highlighted the most prevalent security flaws in web applications in the hopes of getting organizations to close them. Numerous application security practices have emerged in recent times, to help organizations prevent, detect, and fix vulnerabilities in their application stack from the code development stage through the use lifecycle.

The Equifax breach, to many, is another example of even organizations that are supposed to know better, just not applying such practices robustly enough.

This is not the first time that one of the three credit bureaus has experienced a breach. In 2015, an internal server compromise at Experian exposed names, SSNs, birth dates and other information belonging to 15 million people who had applied for financing with T-Mobile USA.

Some see the sheer scope of the latest breach, and the apparent security failure that led to it, as enough reasons why Equifax should be made an example of and forced out of business. "There is no reason to have three credit bureaus that want to seem quasi-governmental when it is convenient, and for profit when it isn't," says Hank Thomas, partner and COO at Strategic Cyber Ventures.

"If they are going to be entrusted with our most sensitive data, essentially without our direct permission, all of the credit bureaus should be forced to have world-class security programs," Thomas says.

Jeremiah Grossman, chief of security strategy at SentinelOne, says breaches like this highlight how consumers are at the mercy of third-party data brokers.

"There are potentially thousands of organizations—large and small—who are custodians of our personal information, who we are not customers of, who we have no control over, may not even know exist, and where we have limited recourse — when they get hacked."

Very few breaches in recent years have resulted from an exploit or attack technique that wasn't known before and should have been protected against. But many organizations are just not incentivized enough to make changes because there has been little fear of financial liability, he says. "To correct the situation, we’re going to need a combination of government assistance and a change in our social norms."

What is needed are unified breach disclosure requirements, financial liabilities for data breaches and warranties from vendors guaranteeing the security of their products. "These would be powerful and crucial levers to counteract the unnecessary and routine nature of data breaches," Grossman says.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/16/2017 | 6:12:53 PM
The Cybersecurity Battle - Time to Give Up?
Maybe it is time for a different approach for cybersecurity? See post on LinkedIn below.
User Rank: Strategist
9/8/2017 | 3:13:45 PM
The End Game
Once data is released, there's no getting it back.  Unless something changes, more and more data will be released.  As analytics advances, much more data will be made knowable through inference (having "yellow" and "blue" allows you to infer "green" with great confidence).  We need to focus on how to make private data useless to thieves.  If someone who is not me cannot use my data to impersonate me, then I don't really care that it's out there.  Medical data and other types of personal information is on a different level.  It can be used to extort people who might be vulnerable to such criminal methods.  Part of our problem is that it's still too easy to impersonate someone else with a little bit of their data.  That's the core problem we really aren't addressing.  At some point, we run out of fingers to put in the dike.
User Rank: Strategist
9/8/2017 | 2:58:12 PM
Dispicable and probably criminal
Equifax is dispicable to include an arbitration clause in the sign-up acknowledgement as a prerequisite in front of the free credit monitoring offering.  That consent waives a consumers right to class action.

The EFX stock sales by company officers following the breach (some $1.8M) should be investgated by the SEC, too.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.