Nmedia - Fotolia

Equifax breach bigger than first reported

Credit rating firm says up to 145.5 million consumers may have been affected by cyber breach earlier this year

Equifax has revealed that 2.5 million more US consumers may have been affected by the cyber breach at the firm between mid-May and July than had first been thought.

Initial reports said the personal data of 143 million US consumers had potentially been exposed, but now the credit rating firm says up to 145.5 million may have been affected.

The exposed data reportedly included names, social security numbers, dates of birth, addresses, credit card numbers and other information.

The impact of the breach was increased based on investigations by cyber security firm Mandiant, but Equifax said forensic investigators has not found any evidence of new or additional hacking activity or unauthorised access to new databases or tables.

Equifax previously disclosed that about 400,000 consumers in the UK and 100,000 in Canada may also have been affected by the breach, but now it says it believes only 8,000 Canadians were affected.

The company said the forensic investigation related to UK consumers has been completed and the resulting information is now being analysed in the UK. “Equifax is continuing discussions with regulators in the UK regarding the scope of the company’s consumer notifications as the analysis of the completed forensic investigation is completed,” it said.

The UK data was restricted to name, date of birth, email address and a telephone number, but did not include any residential address information, password information or financial data, said Equifax.

The company has been criticised for failing to protect personal data and not notifying affected consumers until September, more than a month after halting the attack.

Just over week after the breach was made public, Equifax announced that chief information officer Susan Mauldin and chief security officer David Webb were “retiring” and less than two weeks later, Richard Smith said he was stepping down as CEO.

Read more about the Equifax breach

News that more US consumers may have been affected came on the eve of Smith’s appearance before a House Energy and Commerce Committee hearing about the breach in the US Congress on 3 October 2017.

Smith also published remarks for Congress in which he called on the US to adopt new standards for customer credit data, saying consumers should have sole control over access to their credit data.

He confirmed that the first attack happened in May and took advantage of a software vulnerability that Equifax had been warned about in March, but failed to address effectively.

Equifax previously identified a known and patched vulnerability in the Apache Struts web application framework as the initial attack vector, but said the investigation was continuing and that more information would be released as it emerged.

Equifax identified an intrusion on 29 July, and Smith said he was informed of the problem two days later, but it was only in mid-August that an investigation revealed the extent of the breach.

Smith said Equifax faced a “massive” task to prepare to respond to customers and had been overwhelmed by calls after the breach became public.

Equifax, which holds data on more than 820 million consumers and 91 million businesses, faces dozens of legal claims over the breach, including a class-action lawsuit by several US small businesses, representing millions of others affected by a breach of personal data.

Like the WannaCry and NotPetya global cyber attacks, the Equifax breach has again underlined the importance of organisations having an effective process for ensuring all software is kept up to date and that security patches are applied.

The breach has also demonstrated the importance of organisations’ boards paying attention to cyber security and the importance of secure software development processes to ensure web applications do not give attackers a way in to organisations.

Read more on Privacy and data protection