The Second biggest Credit report company in the UK, Equifax, reported in 2017 impacted between 400,000 UK consumers, 145.5 million US consumers and 11,000 Canadian residents were affected, making it one of the largest data breaches in history.
The Equifax breach saw hackers access data including names, addresses, dates of birth and, in a small number of cases, credit card numbers of the accounts.
The data held by Equifax was stored within files contained within the US business.
Equifax holds information about their account holders that prospective lenders use to assess credit card, loans and mortgage applications and is sourced from the electoral roll, court records, credit searches and bank account data.
When did the Equifax Breach Occur?
Equifax stated that the hackers accessed several files between May and July 2017 and that the hack was discovered a the end of July 2017.
Equifax stated that the information accessed by the hackers for UK consumers was restricted to name, date of birth, email address and telephone number. It did not include passwords, address information or financial data. More information was reportedly available to the hackers in relation to US consumers.
How to Check if Your Info was Taken
Equifax holds information relating to 44 millions individuals in the UK and states that the information that had been hacked did not relate to a business or institution.
Equifax states that it will be contacting all affected consumers. In the US the company setup a dedicated website that allows users with a social security number to identify whether they have been affected.
Equifax states that anyone who received communication from them in relation to the breach would be offered free comprehensive identity insurance that will monitor personal data, credit information and will provide alerts to any potential signs of fraud.
The National Cyber Security Centre does not suggest that any of those affected in the UK need to change their passwords as the information obtained did not appear to include password data, however, they did suggest that those affected may be sent more targeted information within ‘phishing’ scam attempts, such as using information obtained within an email to make it appear legitimate in order to obtain information such as credit card details and passwords.
If any financial information appears to have been compromised, those affected should contact their bank immediately and, if they suspect that they have been a victim of fraud, they should contact Action Fraud.
What Lessons can be Learned?
At the end of 2018, a White House Oversight Committee concluded that Equifax’s security practices and policies were old and out of date and that, if they had employed basic security measures then the breach could have been avoided, summarising that the breach was entirely preventable.
The White House report criticised the handling of the hack by the companies former CEO in that they “failed to implement an adequate security program to protect” the data.
The company had failed to update the software, meaning that a disclosed vulnerability in Apache Struts had not been patched, which had been raised within a warning by Homeland Security months earlier.
That Apache Struts server was operating the five decade old web facing system that enabled users to check their credit rating.
The attackers had used the vulnerability to add a web shell onto the server and retained access to the server for 2 months. This allowed the hackers to obtain an unencrypted file containing passwords from one server that enabled the access of 48 databases that contained unencrypted consumer credit information.
During the 2 months period, the hackers then queried the databases over 9,000 times and downloaded data on 265 different occasions.
The former CEO then placed the blame of the vulnerability on a member of IT staff for not updating the system.
The device used to monitor the network traffic had been inactive for 19 months due to the security certificate expiring, however, as soon as that was updated and the system made operational, staff immediately noticed suspicious web traffic.
The former chief information officer told investigators that the incident could have been prevented if the Struts system had been updated soon after the security patch had been released.
The company disclosed the breach publicly 2 months later, the website produced by Equifax for users to identify whether they had been affected was then impersonated and that site was accidentally linked to by the companies own social media staff.
That website was removed after another security researcher found a flaw within it, during which call centres were overwhelmed.
The White House report also concluded that Equifax had poor security practices and noted that their customers did not have an ability to opt out of providing the information.
Equifax responded as follows “We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information,” and that
“During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings, this is unfortunate and undermines our hope to assist the Committee in producing a credible and thorough public resource for those who wish to learn from our experience managing the 2017 cybersecurity incident,”
Cost to Equifax
Equifax has revealed that the cost of the breach, including IT and data security currently stands at $1.4 billion and that this does not include the lawsuits that have have yet to be seen.
The first quarter of 2019 included $786.8 million spent on costs and $690 million on legal costs. $82.8 million was also spent on technology and ata security and $12.5 million for legal and investigation fees.
The Information Commissioner’s Office (ICO) fined the company £500,000 for the failure to protect the personal data of UK citizens.
Where has the Data Gone Now?
The data stolen during the breach has not been produced by those responsible.
Whereas, normally, such data might appear online for sale immediately after being stolen, to ensure that the data is current and can be used by used by further individuals, for example, so that credit card numbers can be used before the bank cancels them, the data stolen has not appeared. It is believed that this may be for one of two reasons.
The first being that, given the publicity of the breach and the quantity of data taken, the information may be too ‘hot’ to sell or publish and would risk those responsible from being identified and arrested.
The second being that the breach of the size involved was the work or another state who took the data for intelligence purposes. The use of this information with other information obtained via different data breaches could then be used to identify individuals of interest to that state, including those in positions of authority who have financial issues.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.