The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
The original statement about the breach is as follows for those that weren’t up to date with it, which came out Sept 7th (4 months AFTER the breach happened).
Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
So pretty serious stuff with a kit ripe for social engineering and some pretty heavy weight identity theft.
Some good info in this video, skip to 3:02 for the Equifax story coverage:
Just today the entry point has been published, which is pretty unusual in these type of cases to get ANY info other than the fact it happened. It’s linked to a flaw in Apache Struts that was public in March 2017.
Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.
As the Apache Foundation pointed out earlier this week, it reported CVE-2017-5638 in March 2017. Doubt us? Here’s the NIST notification that mentions it as being notified on March 10th.
It’s a pretty nasty situation especially if you watched the video above and you realise that Equifax is also managing to monetize their screw up.
You can find the latest here: https://www.equifaxsecurity2017.com
At least a good amount of information is coming out around this case so we can keep an eye on it and see what else turns up.
Source: The Register