Equifax Web Application Vulnerability Exposes 143 Million Social Security Numbers

Equifax today acknowledged that customer data was exposed when hackers exploited a Web application vulnerability to access company files between May and July of 2017.

The breach affects approximately 143 million U.S. consumers.

The data accessed includes names, Social Security numbers, birthdates and addresses, as well as some driver’s license numbers. Credit card numbers for approximately 209,000 consumers were also accessed, as well as dispute documents with personally identifiable information for approximately 182,000 consumers.

Some U.K. and Canadian residents may also have been affected.

The breach was discovered on July 29, 2017. Notably, CNBC reports that Equifax executives John Gamble Jr., Rodolfo Ploder and Joseph Loughran sold almost $2 million in shares in the company in the days after the breach was discovered.

Corporate Fallout

Richard Henderson, global security strategist at Absolute, told eSecurity Planet by email that the fallout from the breach will likely be unprecedented. “Many people are going to lose their jobs, including Equifax executives, people will be brought before Congress to explain what happened, and consumer trust in all of the credit reporting agencies will be eroded,” he said.

“It may be time for us to reconsider exactly how we allow companies to store all of this data,” Henderson added. “It’s clear that these mega-databases are prime targets for attack, and we may need to take a hard look at legislative changes that will force data brokers and collectors to take security up a few levels.”

“I apologize to consumers and our business customers for the concern and frustration this causes,” Equifax chairman and CEO Richard F. Smith said in a statement. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

Illumio head of cybersecurity strategy Nathaniel Gleicher said by email that the breach clearly demonstrates how hard it is to keep large data stores secure.

“Even large organizations struggle, because it’s far too easy for intruders to slip across the perimeter and then bide their time inside compromised networks until they can get to the most valuable data,” Gleicher said. “If we want to stop breaches like this, we have to get much better at stopping lateral movement within compromised networks.”

Protecting Personal Data

Adam Levin, chairman and founder of CyberScout, said the breach should serve as a reminder to all consumers of the importance of implementing multi-factor authentication, maintaining strong password protocols, and monitoring credit reports.

“While we don’t yet know the full dimensions of the Equifax breach, where the most sensitive information of over a third of the American population could have been exposed to cyber criminals, tens of millions of us are now forced to look over our shoulders for the rest of our lives because tons of Social Security numbers, the skeleton key to our lives, are out there for cybercriminals to steal and exploit,” Levin said.

And for companies, Tripwire vice president of product management and strategy Tim Erlin said, the breach should highlight the importance of establishing a strong incident response plan.

“Information security teams at other organizations should use this incident as an opportunity to evaluate their own plans,” Erlin said. “All organizations that collect and store sensitive data are targets. Doing the basics right, such as ensuring secure configurations, managing vulnerabilities and capturing log data, is the most effective way to prevent breaches.”

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles