Press "Enter" to skip to content

Equifax Credit Breach

Among the crazy weather last week, with multiple hurricanes, and even an earthquake in southern Mexico, it’s easy to have missed the Equifax credit breach that was announced on September 7th, in what many are calling the “worst data breach in the history of the modern era.”

Equifax is one of the largest consumer credit reporting agencies in the world, with the personal information of over 800 million individuals, and over 88 million businesses worldwide. Of those consumers, 143 million American individuals’ information was exposed in a breach; this includes Social Security numbers, birth dates, addresses, driver’s licenses numbers, and 209,000 credit card numbers. Equifax discovered this breach this summer, on July 29th, 2017, and they believe the hack occurred in the middle of May. There is currently no law stating how many days a company has to disclose such an incident to the public, but the fact that it took 40 days to do so is unacceptable and is likely to raise scrutiny from the various governmental agencies and the public.

The entire situation has been fraught with poor decisions and suspicious activity. Three of Equifax’s top executives sold large amounts of stock only a few days after the breach was discovered — before it was disclosed — benefiting from their shares before Equifax (EFX) shares dropped 14% on Friday, September 8th. This caused significant controversy, and many senators and lawmakers are urging the FTC, SEC, and DOJ to determine whether these managers violated insider trading laws by doing so.

Following their public breach notification, Equifax set up a website for customers to determine if they were one of the individuals that were affected. Customers who used this site, however, claimed that the information provided was inaccurate after receiving conflicting results when entering their information multiple times. Additionally, the security PIN that was assigned to each user was generated using the date and time, rather than using a randomly generated number; this would allow significantly easier access to any person trying to brute force their way into someone’s credit report, just adding insult to injury. As of September 14th, Equifax has fixed this issue and is using a randomly generated PIN, after much public outcry.

The exploit the hackers used to breach Equifax’s systems was found be a vulnerability in the Apache Struts framework, used to create Java web applications (if you’re at all familiar with this field, you likely won’t be surprised to hear the words “Java” and “vulnerability” together). The real kicker here though, is that this is a known vulnerability that was fixed on March 6th, in a patch that Equifax failed to update their web applications to. This breach could have been prevented, had Equifax done their due diligence and updated their systems.

Equifax is currently offering free identity theft protection and credit file monitoring, but I personally wouldn’t trust them, and I certainly wouldn’t give them any more data. The best thing to do, if you may have been affected, is to freeze your credit until your account and identity are no longer compromised.

 

Be First to Comment

Leave a Reply