Equifax data breach analysis8/18/2023 ![]() ![]() However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach." And politicians have additionally called on federal watchdog and protection agencies like the Securities and Exchange Commission and the Consumer Financial Protection Bureau to initiate their own investigations.Settlement includes up to $425 million to help people affected by 2017 mega breachĬredit reference agency Equifax has finalized a settlement for a 2017 data breach that affected more than 147 million US citizens and 15 million Brits.Įquifax first admitted the massive breach in September 2017. Peter Kaplan, the acting director of public affairs at the Federal Trade Commission, told WIRED in a statement that "the FTC typically does not comment on ongoing investigations. Dozens of people whose personal data was exposed have already filed lawsuits against the company. Lawmakers are planning two hearings to scrutinize the situation, though, and have requested detailed information about the breach from Equifax. "We continue to work with law enforcement as part of our criminal investigation." "Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," the company said in a statement Wednesday. The company's attempts at damage control have been boilerplate at best. ![]() "Security best practices dictate that this user have as little privilege as possible on the server itself, since security vulnerabilities in web applications and web servers are so commonly exploited." In practice, though, McGeorge says that hackers could have found credentials or other information in plaintext right away if Equifax didn't have proper protections in place. "Generally when you successfully exploit a web-application bug like this you will become the system user who owns the web server process," says Alex McGeorge, the head of threat intelligence at the security firm Immunity. But the timeline suggests that time was on the attackers' side."Īfter exploiting the vulnerability to gain a foothold, the attackers may have found scores of unprotected data immediately or may have worked over time-between mid-May and the end of July-to gain more and more access to Equifax's systems. "It's hard to say how difficult it will have been for the attackers to get their hands on customer data once they found their way into Equifax's servers and network. "Once they identified Equifax's systems as vulnerable, actually exploiting the vulnerability to gain access to the Equifax servers and network will unfortunately have been relatively easy," says van Schaik, who recently discovered and disclosed a different Apache Struts bug. Penetration testers and other security researchers say that it would have been simple for an attacker to exploit the flaw and get into the system. But observers say the ongoing discoveries increasingly paint a picture of negligence-especially in Equifax's failure to protect itself against a known flaw with a ready fix. And as security journalist Brian Krebs first reported, a web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials of "admin/admin." Equifax took the platform down on Tuesday. Even then, the site that Equifax set up in response to address questions and offer free credit monitoring was itself riddled with vulnerabilities. The company took six weeks to notify the public after finding out about the breach. It didn't.Īs the security community processes the news and scrutinizes Equifax's cybersecurity posture, numerous doubts have surfaced about the organization's competence as a data steward. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. Capping a week of incompetence, failures, and general shady behavior in responding to its massive data breach, Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |