The credit data company has been under intense pressure since it went public last week, disclosing that hackers accessed the Social Security numbers, birth dates, and other information on over 44 percent of Americans. To add insult to injury, it has now been learned that up to 440,000 people in the United Kingdom had their personal information compromised. In the Equifax statement issued Friday night, the company said Susan Mauldin, who had been the top security officer, and David Webb, the chief technology officer, are retiring, effective immediately. Maudlin, who is a college music major, had already come under scrutiny over her qualifications in security, according to ABC News. Mauldin is being replaced by Russ Ayers, an information technology executive inside Equifax. Webb is being replaced by Mark Rohrwasser, who joined Equifax in 2016 and most recently was in charge of Equifax’s IT operations. Equifax states its internal investigation of this incident is still ongoing and the company continues to work closely with the FBI in its investigation.
How serious is the Equifax security breach? If you are not too worried over the hacking incident, you should be, say security experts. Besides the Social Security numbers, birth dates, and addresses of 143 million people, the hackers also made off with 209,000 credit card numbers and 182,000 documents containing personally identifying information and an undetermined number of driver’s license numbers. Mark Nunnikhoven, the head of cloud research for cybersecurity firm Trend Micro, says the stolen information is very valuable to cyberthieves. Packaged up altogether, it sells for upwards of $30 per identity on online black markets. “That’s the foundational identification information for U.S. consumers,” said Nunnikhoven. “It’s enough to allow cyberthieves to take over you online.” Identity theft could mess up a consumer’s life for years, from buying a smartphone, getting a car, student loan or a mortgage. And if the thief uses your identity to take out a prescription, that goes on your medical record. A cyberthief could also use this date to pin a crime on you, according to Eva Velasquez, CEO of the Identity Theft Resource Center, a nonprofit that assists fraud victims. Velasquez uses an example, saying suppose someone gets a driver’s license in your name and runs a red light or gets a speeding ticket? “The criminal’s not going to pay it — and soon enough there could be a warrant out for your arrest.” She adds, “This is not hypothetical.” About 4.0 percent of the 17 million reported cases of identity theft last year were of the “criminal variety.” “Data breaches involving Social Security numbers are not rare, but this is the largest ever recorded,” said Velasquez. “This is a unique situation because of the quality of data that was stolen along with the scale of the breach.”
Some bare-bones facts about the data breach First, after Equifax became aware of the hacking on July 29th, it took six weeks before they let the public know about it. And even worse, the security team continued to monitor network traffic and observed additional suspicious activity on July 30, 2017, and it was only then the company decided to take the affected web application offline. Equifax gets sort of hazy in its reporting of what happened after they took the software offline. They say an internal review then “discovered” a flaw in an open-source software package called Apache Struts they identified as the initial attack vector. Equifax patched the affected web application before bringing it back online. However, the software vulnerability had been known publicly since early March 2017, and a fix was available shortly thereafter. This fact was acknowledged on Friday by Equifax, but they did not offer an explanation as to why the flaw hadn’t already been fixed much earlier, even though the company claims their security team knew about it. Equifax’s explanation for this slow response? “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing,” according to its statement.
Pending investigations and litigation Besides many class-action lawsuits brought by consumers, there are also a number of inquiries by the Federal Trade Commission and the Consumer Financial Protection Bureau, as well as several state attorneys general. The company’s CEO Richard Smith is scheduled to testify in front of Congress in early October. Massachusetts Democratic Senator Elizabeth Warren introduced legislation Friday aimed at cracking down on Equifax and giving consumers more control over the data credit companies collect, she said in a statement. The bill is also being sponsored by Brian Schatz from Hawaii. “I am troubled by this attack — described as ‘one of the largest risks to personally sensitive information in recent years’ — and by the fact that it represents the third recent instance of a data breach of Equifax or its subsidiaries that has endangered American’s personal information,” she wrote in a letter to Equifax chairman and chief executive Richard Smith. Senate Minority Leader Chuck Schumer said Thursday that the company “stunningly and epically” failed to protect people’s sensitive information. In a speech on the Senate floor, he called the data breach “one of the most egregious examples of corporate malfeasance since Enron.” The bill basically would require all the credit rating agencies to freeze consumers’ credit reports free of charge and restrict their ability to profit from data during the freeze. Consumers would be able to access their credit reports for free. The thing is, banks rely on the credit reports issued by Equifax, TransUnion, and Experian to issue consumers loans. And this includes lending institutions worldwide. http://www.digitaljournal.com/tech-and-science/technology/equifax-releases-details-on-cybersecurity-breach/article/502613