Tag Archives: Equifax

Equifax Ignored Warning of Breach, Says Researcher

A security researcher claims to have warned Equifax of major vulnerabilities to its computer systems last December. If true, this contradicts the company’s claim to have only learned about the problems this spring—and provides more evidence Equifax could have prevented a catastrophic data breach that affected at least 145 million Americans.

The new allegations, reported by a security reporter at tech news site Motherboard, say the unnamed researcher scanned servers and public-facing websites, and discovered it was easy to access troves of personal data of Equifax customers.

In at least one case, a website that appeared to be an internal employee portal for looking up customer information could be accessed by anyone on the Internet. Overall, the security vulnerabilities appeared to have offered easy access to a staggering amount of sensitive data:

 

[T]he researcher couldn’t believe what they had found. One particular website allowed them to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence

The researcher, who asked for anonymity out of “professional concerns,” claims to have told Equifax about the vulnerabilities immediately after discovering them, and urged it to take down exposed websites, but says the company failed to act.

These allegations, if accurate, reinforce indications that Equifax—which has a significant business selling data protection tools—was shockingly negligent and incompetent when it came to security. Earlier accounts of the breach have already indicated that hackers got in because the company failed to update its software, which should be standard practice for any corporation, and especially for those who handle sensitive consumer data.

As Motherboard notes, all of this also suggests that the gaping security holes could have been exploited repeated by multiple hackers.

“If it took me three hours to find that website, I definitely think I’m not the only one who found it. It wasn’t just one breach. It was maybe dozens,” the researcher claimed.

Equifax has yet to provide a public response to the new allegations, beyond saying the company doesn’t comment on “internal security operations.”

Equifax is currently facing dozens of lawsuits over the data breach from consumer class action attorneys and from state and city governments. The new allegations are likely to provide the plaintiffs with new ammunition to obtain damages. As Fortune has reported, the Equifax hacking incident is likely to differ from earlier mass data breaches in that the company could pay out real money to the consumers affected.

Source:

http://fortune.com/2017/10/26/equifax-ignored-warning-of-breach-says-researcher/

Chatbot offers legal help to Equifax data breach victims

The DoNotPay robot lawyer generates documents US consumers can take to the small claims court.

Depending on the state, consumers can sue Equifax for up to $25,000 (£19,000).

The Equifax data breach has affected 143 million US customers.

Despite repeated requests by the BBC, Equifax has not confirmed exactly how many UK consumers were affected, but reports suggest the details of up to 44 million British people may have been compromised.

The firm has committed to working with regulators in the US, UK and Canada on next steps. It is also offering free credit monitoring and identity theft protection for a year.

“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations,” said Richard Smith, Equifax chairman and chief executive, when the breach was revealed.

DoNotPay was invented by British teenager Joshua Browder, who is an undergraduate at Stanford University.

The free service was originally designed to help appeal against parking or speeding tickets by selecting the right letter that corresponds to the user’s issue.

This is not the first time it has been programmed for altruistic purposes – in March, Mr Browder adapted the bot to help asylum seekers with immigration applications and to obtain financial support.

As of July, he estimated that the bot had helped to defeat 375,000 parking tickets in two years.

Unauthorised access

At the end of July, Equifax discovered signs of unauthorised access to data including names, addresses and social security numbers.

The credit report giant set up a website where consumers can check whether their information was accessed and sign up for free credit and identity theft monitoring.

The data breach is one of the biggest ever reported in the US and victims are at risk of identity theft and fraud.

Source:

http://www.bbc.com/news/technology-41239513

Equifax Says Cyberattack May Have Affected 143 Million Customers

Equifax, one of the three major consumer credit reporting agencies, said on Thursday that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers.

The attack on the company represents one of the largest risks to personally sensitive information in recent years, and is the third major cybersecurity threat for the agency since 2015.

Equifax, based in Atlanta, is a particularly tempting target for hackers. If identity thieves wanted to hit one place to grab all the data needed to do the most damage, they would go straight to one of the three major credit reporting agencies.

“This is about as bad as it gets,” said Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”

Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in website software, according to an investigation by Equifax and security consultants. The company said that it discovered the intrusion on July 29 and has since found no evidence of unauthorized activity on its main consumer or commercial credit reporting databases.

In addition to the other material, hackers were also able to retrieve names, birth dates and addresses. Credit card numbers for 209,000 consumers were stolen, while documents with personal information used in disputes for 182,000 people were also taken.

Other cyberattacks, such as the two breaches that Yahoo announced in 2016, have eclipsed the penetration at Equifax in sheer size, but the Equifax attack is worse in terms of severity. Thieves were able to siphon far more personal information — the keys that unlock consumers’ medical histories, bank accounts and employee accounts.

“On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” said Avivah Litan, a fraud analyst at Gartner.

An F.B.I. spokesperson said the agency was aware of the breach and was tracking the situation.

Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.

Source: