Equifax — one of the largest providers of consumer credit reporting and other financial services in the US — said last night it was the victim of a hack during which attackers made off with details on over 143 million of its customers.
While the amount of stolen data is impressive in its size alone, affected users have real reasons for concern because of the nature of the data hackers made off with.
According to a press release the company put out, attackers stole names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers.
Furthermore, hackers also accessed credit card numbers for approximately 209,000 US users and dispute documents with personal identifying information for approximately 182,000 more.
In addition, Equifax said attackers also had limited access to the personal details of UK and Canadian residents but did not reveal the number of affected users.
In most breaches, hackers get access to limited information, such as names, addresses, or credit card numbers. A breach of this magnitude and depth of sensitive information is a rare event, and a dangerous one.
Any hacker holding the information stolen from Equifax can very easily build in-depth profiles on its targets and carry out fraudulent transactions, illegal tax returns, hijack online accounts, and more.
Equifax made another big mistake by not notifying users right away. The company said it detected the hack on July 29, but waited more than a month to issue a public warning so users could freeze their assets or take precautionary measures.
"This is a disastrous data breach, probably one of the most detrimental breaches of this year, capable of undermining trust in an already quite fragile online financial space," Ilia Kolochenko, CEO and Founder of High-Tech Bridge told Bleeping Computer via email.
"Such a delayed public disclosure of the breach is quite dubious. Probably the disclosure was reasonably postponed in the interests of investigation, but it still could endanger the victims," Kolochenko added.
Rick Smith, Equifax CEO, apologized for the incident in a YouTube video (see below) and offered to provide free credit monitoring services for one year to all US citizens, not just those affected by the breach.
If you think the offer is generous, it is not. The 143 million figure is about 45% of the US' entire population, but if excluding children, the elderly and other inactive age groups, that's a large chunk of the active credit-eligible population anyway, meaning most US consumers were affected regardless.
Equifax has set up a web page where affected users can verify if they're included in the reported data breach. They can also use this website to enroll in free credit monitoring services.
Users included in the breach have a higher priority and can sign up and receive the free credit monitoring offer right away.
Users not included in the breach will receive their one-year free credit monitoring service but from a later date. In the meantime, Equifax encourages these users to sign up for a commercial plan of credit monitoring services, just in case. In other words, Equifax is using its own hack to sell credit card monitoring services.
The marketing blunder comes to complete the numerous other technical failures. For example, Equifax's breach verification site uses a stock WordPress site, hardly the best technology for running secure sites.
Because it allows users to verify if they're in the breach by checking their name and last six digits of their SSN, the site quickly got flagged by OpenDNS as a phishing site. When it launched, the site also had SSL issues, which also contributed to OpenDNS marking the site as a threat.
The primary Equifax website is also still vulnerable to an XSS flaw reported last year. One of the Equifax login pages shows debug codes that could be useful in gaining an idea about how Equifax's internal network works.
In its official statement, Equifax said the intrusion took place after "criminals exploited a U.S. website application vulnerability to gain access to certain files."
With such a clumsy effort on the technical side, it is no wonder that LinkedIn's CISO (Chief Information Security Officer) wanted to lay low.
Besides expecting a visit from the FTC and ambulance chasing lawyers holding class-action lawsuits in their hands, Equifax should also expect the SEC.
Shortly after the data breach press release was published, Bloomberg reported that three Equifax high-ranking execs were allowed to sell company stock of nearly $1.8 million.
The date of this transaction came after the company discovered the data breach. In statements to the press, Equifax said the execs who sold their stock were not aware of the breach, an explanation that few are experts are buying.
Weird how Equifax pr can't say whether users' SSNs were encrypted but knows that execs were unaware of a huge hack weeks after it happened. https://t.co/PsjtSeOob2— Kevin Collier (@kevincollier) September 8, 2017
Equifax stock (NYSE:EFX) is expected to plummet when the US stock market opens on Friday, later today.