Nmedia - Fotolia

Equifax breach bigger than first reported

Credit rating firm says up to 145.5 million consumers may have been affected by cyber breach earlier this year

Equifax has revealed that 2.5 million more US consumers may have been affected by the cyber breach at the firm between mid-May and July than had first been thought.

Initial reports said the personal data of 143 million US consumers had potentially been exposed, but now the credit rating firm says up to 145.5 million may have been affected.

The exposed data reportedly included names, social security numbers, dates of birth, addresses, credit card numbers and other information.

The impact of the breach was increased based on investigations by cyber security firm Mandiant, but Equifax said forensic investigators has not found any evidence of new or additional hacking activity or unauthorised access to new databases or tables.

Equifax previously disclosed that about 400,000 consumers in the UK and 100,000 in Canada may also have been affected by the breach, but now it says it believes only 8,000 Canadians were affected.

The company said the forensic investigation related to UK consumers has been completed and the resulting information is now being analysed in the UK. “Equifax is continuing discussions with regulators in the UK regarding the scope of the company’s consumer notifications as the analysis of the completed forensic investigation is completed,” it said.

The UK data was restricted to name, date of birth, email address and a telephone number, but did not include any residential address information, password information or financial data, said Equifax.

The company has been criticised for failing to protect personal data and not notifying affected consumers until September, more than a month after halting the attack.

Just over week after the breach was made public, Equifax announced that chief information officer Susan Mauldin and chief security officer David Webb were “retiring” and less than two weeks later, Richard Smith said he was stepping down as CEO.

Read more about the Equifax breach

News that more US consumers may have been affected came on the eve of Smith’s appearance before a House Energy and Commerce Committee hearing about the breach in the US Congress on 3 October 2017.

Smith also published remarks for Congress in which he called on the US to adopt new standards for customer credit data, saying consumers should have sole control over access to their credit data.

He confirmed that the first attack happened in May and took advantage of a software vulnerability that Equifax had been warned about in March, but failed to address effectively.

Equifax previously identified a known and patched vulnerability in the Apache Struts web application framework as the initial attack vector, but said the investigation was continuing and that more information would be released as it emerged.

Equifax identified an intrusion on 29 July, and Smith said he was informed of the problem two days later, but it was only in mid-August that an investigation revealed the extent of the breach.

Smith said Equifax faced a “massive” task to prepare to respond to customers and had been overwhelmed by calls after the breach became public.

Equifax, which holds data on more than 820 million consumers and 91 million businesses, faces dozens of legal claims over the breach, including a class-action lawsuit by several US small businesses, representing millions of others affected by a breach of personal data.

Like the WannaCry and NotPetya global cyber attacks, the Equifax breach has again underlined the importance of organisations having an effective process for ensuring all software is kept up to date and that security patches are applied.

The breach has also demonstrated the importance of organisations’ boards paying attention to cyber security and the importance of secure software development processes to ensure web applications do not give attackers a way in to organisations.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

#1) Significant jail time for minimally the CEO, CIO, CSO and CFO would not be unreasonable. But how will people who have been affected by this be made whole for the range of damages that will undoubtedly occur for many years to come? It's not like you can reissue new birth dates ...

#2) Since the Federal government has done nothing to stop the use of Social Security numbers (now called Taxpayer IDs) by private sector companies like Equifax and in fact have made it mandatory for financial service firms and others to use TIDs for reporting, where is their culpability in this?

#3) How much profit will be made by enterprising companies who will offer to "fix" the issue for affected individuals for a fee? And shouldn't Equifax be the one picking up the tab?



Cancel
I find it interesting (and infuriating!) that I had received a letter from Equifax a few months back advising they were reducing the identity theft insurance they offered when you were a paying for their monitoring services from $1 million to $25,000 per incident. I wish I could find that letter because I'm pretty sure I received it after May.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close