Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
5/9/2018
11:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

Equifax Filing Sheds Light on 2017 Data Breach Carnage

In a new filing with Securities and Exchange Commission, Equifax executives are offering a greater level of detail of the 2017 data breach that affected more than 146 million customers.

The 2017 data breach at Equifax, which affected more than 146 million of the company's customers, is considered one of the largest incidents of its kind. Now, new documents are laying bare how vast the breach actually was.

In response to several congressional investigations about the data breach, Equifax has filed new paperwork with the US Securities and Exchange Commission that offers a staggering amount of detail about how many records were exposed last year.

Overall, the company states that 146.6 million customers were affected by the breach.

Equifax initially claimed about 143 million customers were compromised, but that number has steadily risen over the ensuing months.

(Source: Flickr)
(Source: Flickr)

The original breach occurred when a person or persons took advantage of a known vulnerability in Apache Struts CVE-2017-5638, according to numerous reports. The patch was available for this particular flaw but it appears that the company did not update its software.

As a result, millions of records were taken.

"The attackers stole consumer records from a number of database tables with different schemas, and the data elements stolen were not consistently labeled," according to the May 7 filing. "For example, not every database table contained a field for driver's license number, and for more common elements like first name, one table may have labeled the column containing first name as 'FIRSTNAME,' another may have used 'USER_FIRST_NAME,' and a third may have used 'FIRST_NM.'"

Here's how many records were taken:

  • Names: 146.6 million
  • Date of Birth: 146.6 million
  • Social Security Number: 145.5 million
  • Address: 99 million
  • Gender: 27.3 million
  • Phone Number: 20.3 million
  • Driver's License Number: 17.6 million
  • Email Address: 1.8 million
  • Payment Card Number and expiration Date: 209,000
  • Tax ID: 97,500
  • Driver's License State: 27,000

In addition to these records, Equifax believes that the attackers also accessed data, specifically images, uploaded through the company's online dispute portal, which affected about 182,000 US customers. These were mainly government-issued documents and included 38,000 driver's licenses, 12,000 Social Security or Taxpayer ID cards, 3,200 passports or passport cards, and 3,000 "other" records.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

The fallout from the breach is continuing.

In March, the SEC, along with the US Attorney's Office for the Northern District of Georgia, charged Equifax's former US CIO with insider trading and other offenses. Specifically, an indictment charged that Jun Ying knew about the breach and sold his company stock before the incident was made public. (See Former Equifax CIO Charged With Insider Trading.)

The Equifax and other data breaches also forced the SEC to update its rules about public disclosures of cybercrimes. (See Equifax, Intel Help Spur SEC to Update Cybersecurity Regulations.)

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-32168
PUBLISHED: 2022-09-28
Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (UxTheme.dll) with his own dll and run arbitrary code in the context of Notepad++.
CVE-2022-3348
PUBLISHED: 2022-09-28
Just like in the previous report, an attacker could steal the account of different users. But in this case, it's a little bit more specific, because it is needed to be an editor in the same app as the victim.
CVE-2022-3333
PUBLISHED: 2022-09-28
A vulnerability, which was classified as problematic, was found in Zephyr Project Manager up to 3.2.4. Affected is an unknown function of the file /v1/tasks/create/ of the component REST Call Handler. The manipulation of the argument onanimationstart leads to cross site scripting. It is possible to ...
CVE-2022-3332
PUBLISHED: 2022-09-28
A vulnerability classified as critical has been found in SourceCodester Food Ordering Management System. This affects an unknown part of the file router.php of the component POST Parameter Handler. The manipulation of the argument username leads to sql injection. It is possible to initiate the attac...
CVE-2022-39035
PUBLISHED: 2022-09-28
Smart eVision has insufficient filtering for special characters in the POST Data parameter in the specific function. An unauthenticated remote attacker can inject JavaScript to perform XSS (Stored Cross-Site Scripting) attack.