Equifax mega-leak: Security wonks smack firm over breach notification plan
Credit reference agency Equifax has been criticised for its breach response in the wake of the disclosure on Thursday of a megahack that affected the data of up to 143 million people in the US alone.
The credit reference agency admitted that criminals may have been able to access data including names, social security numbers, birth dates and more belonging to its US customers from mid-May after exploiting a vulnerable website application. There’s no evidence of unauthorised activity on Equifax’s core consumer or commercial credit reporting databases, according to the credit reference agency.
Stand up who HASN’T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone
The breach was discovered on 29 July but Equifax only disclosed the problem 40 days later. “The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers,” it said.
Also accessed were “credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers.”
Personal information on an undisclosed number of UK and Canadian residents was also disclosed in the breach, Equifax admits. Specifics on what might have been spilled are unclear.
Data privacy watchdogs in the UK – namely the Information Commissioner’s Office – are already in touch with Equifax, advising it to “alert affected UK customers at the earliest opportunity”.
Equifax had weeks to prepare for its breach notification, so its decision to do so via a basic WordPress site (oh, err) using a free shared CloudFlare SSL cert is somewhat puzzling. “For some reason Equifax used the 6 weeks to set up a new domain asking for SSN numbers, with anonymous Whois on Cloudflare,” said security consultant Kevin Beaumont.
The whole approach already seems to have gone awry, with OpenDNS flagging up the site as a potential phishing locale in an apparent false positive. The Register has received emails from concerned readers who believed it may be a phishing site.
Free credit file check
Equifax’s breach notification site – https://www.equifaxsecurity2017.com – invites consumers US person to “enroll and activate your complimentary identity theft protection and credit file monitoring product, called TrustedID Premier”.
While signing up to TrustedID Premier allows concerned parties to confirm whether or not they have been personally affected, some have voiced concerns that the wording of its terms of service may mean signing away rights to file a lawsuit and agreeing to arbitration instead. To manage demand, interested parties can’t sign up to TrustedID Premier immediately anyway, instead receiving a future enrolment date.
The service, once activated, is complimentary for the first year only.
“Equifax’s customer service and incident response may have been better if the potentially 143 million people affected were customers — they’re not,” said Jeremiah Grossman, chief of security strategy at SentinelOne.
Criticism over the breach notification was widespread but far from universal. Some experts were more inclined to cut Equifax some slack.
“The Equifax breach announcement. Generally good, but a bit alarming that they knew in July and only announced now,” said breach notification guru Troy Hunt, the security researcher behind the haveibeenpwned breach notification service.
Rick Holland, VP of Strategy at Digital Shadows and a former incident responder, is even more sympathetic. Holland reckons a month to communicate the incident “is not that long”. In a blog post, Holland speculated that the likely root cause of the breach was a SQL injection vulnerability. ®