What You Need to Know About the Equifax Breach

This past week, big-three credit bureau giant, Equifax, was hit with a major breach of information, putting 143 million Americans at risk. Social security numbers and other personal information are among the data that was compromised in the intrusion.

To make it even worse, the Equifax site, equifaxsecurity2017.com, where users are supposed to be able to find out if they were impacted by the breach, is broken and useless. Krebsecurity.com referred to it as a “stalling tactic or sham at worst.” Following the breaking news of the breach, this site was flagged as a possible phishing scheme. Many received differing answers on whether they were affected, causing much confusion. Some were also told that they were not eligible and to try again later in the month. Equifax hired a third-party public relations firm, Edelman PR, to assist in the notifications of affected customers.

Equifax confirmed that the cyberattack was discovered in the end of July, including data such as social security and drivers’ license numbers, birth dates and addresses. However, contradicting reports indicate that the vulnerability was discovered in March. Over 200,000 customers credit card data were also involved in the intrusion. Complaints are being raised about the delay in time that it took to inform customers about the breach. Equifax says that it took action quickly to prevent further damage, however, 143 million Americans are now affected by this and are not pleased with Equifax’s response. Updates from an Equifax spokesperson indicate that the site’s problems are now resolved and customers can get accurate information that clarifies whether they were affected or not.

Once Equifax discovered the breach in the access to their website, they enlisted the services of an outside computer security forensic firm, Mandiant. An employee of Mandiant purchased equihax.com and other domains that may have looked appealing to phishers in order to keep it off the market.

Coincidentally or not, Equifax executives managed to sell millions of dollars-worth of stock. This happened between the time when the intrusion was discovered and when the public became aware. Stocks are now down by 13 percent, from when the breach was announced versus the price on the market Thursday. The executives claim to have no knowledge of the breach prior to the sales.

Equifax should have been aware of the technological ramifications of not being adequately protected. Without the protection that a company such as Equifax should have had, a data breach was likely in only a matter of time. Apache Struts is a program for building web applications in Java and is believed to be the open-source software package where the vulnerability was discovered. According to reports, the vulnerability had existed since 2008. Apache Struts is a very popular framework utilized every day by over 50 percent of the Fortune 100 companies such as Lockheed Martin, Office Depot, even the IRS and more. In this case, the vulnerability was exploited and malicious code imbedded inside the data. When the Apache Struts program attempted to convert the data, it was executed at that time causing the breach. Meaning, hackers had easy access to establish malware onto the company’s webservers, as well as steal and delete confidential data.

New developments indicate a class action lawsuit has been filed. The civil action suit accuses the company of lacking security standards and guaranteed protection for its users in an effort to save money. The lawsuit is requesting compensation and costs for the potential 143 million Americans affected.

Customers should immediately put in place a freeze on all accounts that were associated with Equifax. For customers signing up with Equifax, all are required to acknowledge the terms of service. However, those terms appear to include legalese suggesting that by acknowledging the terms or terms of service you are waiving all rights to be a part of a class action lawsuit in the future, if that situation were to arise. Equifax has since provided an update on this verbiage addressing those terms. “In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”

How this affects you?
All consumers have rights, mandated by congress, to access their credit report via annualcreditreport.com. This gives consumers one free report from each of the “big three” Experian, Trans Union, and Equifax. If you sign up with a company like Equifax, the most that they can do for you is to alert you once your information and identity has been stolen, they cannot prevent it.
Consumers can request that the bureaus “freeze” their credit information. This prevents anyone from accessing the credit files. Consumers can temporarily or permanently remove the hold if they wish.

Always be aware of where your confidential data and personal information is. Do not provide personal information such as social security numbers or credit card numbers via email, unless the emails are encrypted, or to people you do not know. Hackers and phishers are getting smarter every day. Cybersecurity is becoming increasingly more important, not just for organizations and corporations, but for individuals as well.

If you have questions or concerns regarding your cybersecurity and data protection, contact Blue Layer to learn more.