The big Equifax data breach and its settlement is still an ongoing process
PaySpace Magazine has decided to bring up the scandal related to the big Equifax data breach. As it turns out, it is still an ongoing process, so the story is far from over.
Maybe you remember, the leak of personal data from the Equifax databases (it was around 145.5M customers in 2017). A year later, on August 2018, the GAO (The Government Accountability Office), which is an auditing, evaluation and investigative service of the US Congress, released a report “Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach”, you can read it here.
Equifax is a consumer credit agency, and it is one of the largest credit bureaus in the US (along with Experian and TransUnion). The bureau has an extensive client database, both individuals and entities.
How is it going?
All the information about the incident was already known in 2017, but we still would like to go through the major points of the attack.
10 March 2017 – the attackers were able to scan the services available from the internet for different weak points, which US-СЕRТ reported two days earlier. Vulnerability in the Apache Struts Web Framework (СVЕ-2017-5638) was found on the portal, which allows users to download documents related to the dispute of the accuracy/correctness of Еquifах credit reports. Intruders were able to use the weak points of the system to their advantage and gain unauthorized access to the portal with the help of specialized software. At that point, perpetrators hadn’t started the process of stealing data.
13 March 2017 – intruders began to steal data. As the portal was compromised, the perpetrators began to send requests to different databases in order to find useful info. Thus, they found a repository with personal data along with unencrypted logins and passwords that gave access to other databases. It is worth mentioning that the intruders managed to send no less than 9000 requests. Most responses to these requests contained personal data. The attackers used existing encrypted communication channels to disguise requests and commands. The use of existing encrypted communication channels allowed attackers to get lost in the normal network flow and go unnoticed. Therefore, the intruders successfully extracted information from the Equifax databases. This data was transmitted (in small parts/portions) outside. One of the reasons for data theft success was the fact that this very information looked like the general encrypted traffic. The attack continued for 76 days, until it was discovered.
29 July 2017 – information security experts, conducting a fully-fledged check of the state of the IT infrastructure, discovered trespassing on the portal. Penetration could be detected when encrypted traffic began to be inspected. Commands that were not part of the standard system operation were found. Until that date, encrypted traffic was not inspected by intrusion detection systems, because the certificate had expired, and the new one was not installed. Moreover, the certificate expired ten months before the date. Thus, it turned out that encrypted traffic was not inspected for ten months. Having found penetration, the specialists blocked the IP addresses from which the requests came.
30 July 2017 – The Department of Information Security discovered additional suspicious activity. It was decided to close access to the portal.
31 July 2017 – CISO (Chief Information Security Officer) informed CEO about an accident.
2 August – 2 October 2017 – Equifax opened an investigation into the situation, trying to determine how much data was stolen and how many people could be affected by this leak. On August 2, the company notified the FBI about the leak.
The price of the Equifax data breach
According to different sources, Equifax has already spent around $1.4B to handle the data breach incident, but the story is far from over. The expenditures include the costs of strengthening security systems, customer support, legal fees, and various lawsuit payments.
Representatives of Equifax say that for now, it is not even approximately possible to estimate the level of expenses that the company still has to bear. Additional costs may arise primarily after adverse court decisions on claims, as well as as a result of fines and other payments. In total, there are more than 1,000 lawsuits against Equifax (including class actions).
Equifax data breach settlement scam
As we all know, when it rains, it pours. In addition to legal and settlement problems, Equifax faces one more issue – frauds that have managed to create tons of fake settlement websites (which actually look like the genuine one). This site is intended for filing claims.
Moreover, FTC (Federal Trade Commission) settlement requires the bureau to pay $425M, arguing that consumers have suffered damage (scammers steal personal data with the help of the claims from fake websites).
Feds also warn that scammers became crafty, and sometimes it is extremely hard to distinguish the genuine site from a fake one, so they shared the link where consumers can file claims.
Furthermore, they remind citizens not to share personal data (social security info, etc) with any sites or callers, which are not linked to the FTC website.