01:57 PM
Connect Directly

Equifax Data Breach Prompts Calls For Tougher Security Requirements On Data Aggregators

Credit report bureau discloses breach that exposed data on 143 million US consumers.

A data breach at credit reporting bureau Equifax has exposed sensitive data on a staggering 143 million US consumers and evoked widespread concern about consequences for victims that could last for years.

The breach is already being described as potentially one of the most damaging ever with many holding it up as a reason for stricter security enforcement on organizations like Equifax that collect and hold extraordinary amounts of sensitive data.

In an alert Thursday, Equifax said intruders has exploited a website application vulnerability and accessed files containing names, Social Security Numbers, birth dates, and addresses belonging to what amounts to more than 40% of the US population. Also compromised in the intrusion, which lasted between mid-May and July 2017, were driver's license information belonging to an unspecified number of victims and credit card data for some 209,000 consumers.

Equifax said that so far, there is no evidence to show that its core consumer and commercial credit reporting databases were impacted in the breach.

As is standard with such notifications, the Equifax alert offered no details on the security failures that might have contributed to a breach of this magnitude. It merely noted that victims would receive one year's worth of free credit monitoring and directed them to a webpage where they could check if their data had been compromised and enroll for the monitoring.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax chairman and chief executive officer, Richard Smith said in the statement. "I apologize to consumers and our business customers for the concern and frustration this causes."

News of the breach sent Equifax's share price down by nearly 15% at one point from around $143 Thursday mid-day to $121.50 a day later, before recovering marginally Friday afternoon.

The disclosure also evoked widespread criticism from many across the security industry.

"This breach hits home because its impact could potentially be on half of [the] adult population in the U.S.," says Jess Parnell, director of information security, at Centripetal Networks. "Unless you are off the grid entirely and don't use money or credit cards, Equifax probably has your information and you are at risk."

All kinds of institutions including banks, hospitals, mobile phone providers, insurance companies and utilities use the kind of personal data that was breached in the Equifax incident to authenticate consumer identities for daily transactions, says Brian Vecci, technical evangelist at Varonis.

"Credit bureaus have to gather and keep the most sensitive digital information many people have," he says. "They have to be held to the absolute highest standards of security," he says while predicting the breach will have a cascading effect on other organizations for years to come.

Adam Meyer, chief security strategist at SurfWatch Labs too worries that the breach could have an impact on the credit-based identity authentication schemes that many organizations employ to combat their own forms of fraud.

These are the authentication mechanisms where users are sometimes asked information from their credit files that only they would know, such as past addresses, recent loans and credit applications. Many government agencies and organizations use such mechanisms to support employment verification, social services verification and other application. "The strength in this authentication is the fact that only the user should know this information when challenged," he says. Depending on the full scope of the Equifax breach, that assurance may now be gone, opening up the gates to new kinds of fraud.

In the absence of any details from Equifax, security executives have offered several theories on what might have happened. Many see the intrusion as yet another example of failure by a company to adhere to proper application security standards and practices.

Over the years, analysts have routinely warned about the need for organizations to address the substantial and growing number of vulnerabilities present in the web applications they use.

Organizations such as Open Web Application Security Project (OWASP) and the SANS Institute have for years highlighted the most prevalent security flaws in web applications in the hopes of getting organizations to close them. Numerous application security practices have emerged in recent times, to help organizations prevent, detect, and fix vulnerabilities in their application stack from the code development stage through the use lifecycle.

The Equifax breach, to many, is another example of even organizations that are supposed to know better, just not applying such practices robustly enough.

This is not the first time that one of the three credit bureaus has experienced a breach. In 2015, an internal server compromise at Experian exposed names, SSNs, birth dates and other information belonging to 15 million people who had applied for financing with T-Mobile USA.

Some see the sheer scope of the latest breach, and the apparent security failure that led to it, as enough reasons why Equifax should be made an example of and forced out of business. "There is no reason to have three credit bureaus that want to seem quasi-governmental when it is convenient, and for profit when it isn't," says Hank Thomas, partner and COO at Strategic Cyber Ventures.

"If they are going to be entrusted with our most sensitive data, essentially without our direct permission, all of the credit bureaus should be forced to have world-class security programs," Thomas says.

Jeremiah Grossman, chief of security strategy at SentinelOne, says breaches like this highlight how consumers are at the mercy of third-party data brokers.

"There are potentially thousands of organizations—large and small—who are custodians of our personal information, who we are not customers of, who we have no control over, may not even know exist, and where we have limited recourse — when they get hacked."

Very few breaches in recent years have resulted from an exploit or attack technique that wasn't known before and should have been protected against. But many organizations are just not incentivized enough to make changes because there has been little fear of financial liability, he says. "To correct the situation, we’re going to need a combination of government assistance and a change in our social norms."

What is needed are unified breach disclosure requirements, financial liabilities for data breaches and warranties from vendors guaranteeing the security of their products. "These would be powerful and crucial levers to counteract the unnecessary and routine nature of data breaches," Grossman says.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Strategist
9/8/2017 | 2:58:12 PM
Dispicable and probably criminal
Equifax is dispicable to include an arbitration clause in the sign-up acknowledgement as a prerequisite in front of the free credit monitoring offering.  That consent waives a consumers right to class action.

The EFX stock sales by company officers following the breach (some $1.8M) should be investgated by the SEC, too.
User Rank: Apprentice
9/8/2017 | 3:13:45 PM
The End Game
Once data is released, there's no getting it back.  Unless something changes, more and more data will be released.  As analytics advances, much more data will be made knowable through inference (having "yellow" and "blue" allows you to infer "green" with great confidence).  We need to focus on how to make private data useless to thieves.  If someone who is not me cannot use my data to impersonate me, then I don't really care that it's out there.  Medical data and other types of personal information is on a different level.  It can be used to extort people who might be vulnerable to such criminal methods.  Part of our problem is that it's still too easy to impersonate someone else with a little bit of their data.  That's the core problem we really aren't addressing.  At some point, we run out of fingers to put in the dike.
User Rank: Apprentice
9/16/2017 | 6:12:53 PM
The Cybersecurity Battle - Time to Give Up?
Maybe it is time for a different approach for cybersecurity? See post on LinkedIn below.
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.