Data Includes Drivers Licenses, Social Security Numbers, Birth Dates and Addresses
Credit reporting agency Equifax says Thursday a web application flaw exposed 143 million customer records to hackers, a startling breach from a company that ironically offers identity theft protection services.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The information exposed includes names, Social Security numbers, birth dates, addresses and in some cases, driver’s license numbers, according to a news release. Although most affected are U.S. consumers, Equifax says some “limited personal” information for U.K. and Canadian residents was affected.
Equifax also says the breach exposed credit card numbers for 209,000 U.S. consumers. The hackers also accessed what Equifax described as “dispute documents” containing personal information for 182,000 U.S. consumers.
While not the largest breach on record, it’s certainly one of most sensitive. Equifax is one of the largest aggregators of financial data for U.S. consumers, and its records are used by a variety of other businesses to gauge a person’s creditworthiness.
The breach was discovered on July 29. Equifax says the cybercriminals “exploited a U.S. website application vulnerability to gain access to certain files.” The exposure period ran from mid-May through July.
Equifax didn’t identify what kind of web application was illegally accessed. But it said that its consumer and commercial credit reporting databases did not show evidence of unauthorized activity.
Still, it’s a worst-case scenario for consumers. The type of information leaked is a perfect package for a fraudster looking to impersonate someone else.
In the news release, Equifax Chairman and CEO Richard F. Smith says, “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do.”
“I apologize to consumers and our business customers for the concern and frustration this causes,” Smith says. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
Although major data breaches have become nearly routine, Equifax’s lapse is “especially alarming and serious,” says Atiq Raza, CEO of the web application security company Virsec. Of particular concern is the static nature of information data such as birth dates.
“Almost all the data that credit reporting companies like Equifax hold is sensitive, and much of it is used to establish identity – birth dates, addresses, drivers licenses, and other data types are routinely used to verify identity,” Raza says. “It’s one thing to ask a consumer to change a password, but how do you change your birth date?”
Questionable Notification Process
It doesn’t appear that Equifax is directly contacting consumers. Instead, the company has set up a web-based tool for people to check if their data is in the breach.
That is likely to raise eyebrows amongst security experts, particularly after Equifax attributes the breach to a web application security flaw. The tool asks consumers for their last name and the last six digits of their Social Security number.
Social Security numbers are widely available on underground cybercriminal markets, so it’s not difficult for fraudsters to procure large numbers. That makes Social Security numbers a very poor way to authenticate a consumer.
Virsec’s cofounder and CTO, Satya Gupta, says Equifax’s notification method is “very unusual.”
“This reinforces the conundrum of these breaches – with more information exposed, how do you now prove a person’s identity?” he says.
Equifax says that it is offering free identity theft protection and credit file monitoring for all U.S. consumers, even for those not affected by the breach.
After a last name and the last six digits of a Social Security number is entered into the tool, it returned whether the person is in the breach. If a person isn’t in the breach, it offers up a date when someone should come back to Equifax’s website to enrol in the service, called TrustedID Premier.
Enrolment is only free for one year, after which consumers would have to pay a fee.
Web App Risks
Flaws in web applications are one of the most common vectors for hackers to access data. Since web applications by their nature face the internet, it’s crucial that companies code them correctly to prevent information those applications collect from leaking.
Most web applications have backend database that are supposed to be configured to not respond to potentially malicious input. Hackers will often try what are known as so-called injection attacks, where certain commands are entered into web-based forms to see if a backend database will divulge information.
According to the Open Web Application Security Project, a community dedicated to web application security, injection attacks are rated as the top risk to applications for this year.