For those of you that have just emerged from under your rock to read this article, I appreciate it, but if you haven’t heard, a cyber security breach on one of the 3 main credit bureaus, Equifax, effecting over 143 Million Americans was announced this past week and some are touting this as one of the worst breaches in history. While we wait for the smoke to settle on this one, I wanted to put together a small collection of some of the key points I have heard being discussed and why they make this one of the more serious breaches in history.
Severity of leaked data – The data reported to have been stolen includes the full names, address, birth date, social security number, and in some cases the drivers license number of approximately 143 million Americans. In addition to this, approximately 200k credit card numbers and associated information has been stolen. Finally, there are also some reports of “certain dispute documents” having been stolen effecting approximately 182k people and even mentions of “limited personal information” being leaked about some UK and Canadian citizens as well. This information is worse than your average user account data breach as it contains all of the essential information for stealing ones identity.
Quality of Response – The incident was discovered on July 29th of this year. Ignoring the fact that 3 Equifax executives sold off their stock just days after the breach was discovered and still weeks before it was disclosed, the response from the company has been less than adequate in many consumers eyes. The company put up the website https://www.equifaxsecurity2017.com/ as a place to consolidate information about the breach and to offer their attempts at an apology. The site is supposed to allow users to check if they have been effected by the breach, however many discovered that entering literally any string into the name field and any 6 digits into the SSN field would return a positive response indicating that you had in fact been affected by the breach. Others found that the page was a default and relatively insecure instance of WordPress, using a free / shared CloudFlare SSL certificate, was not registered to / owned by Equifax, were picked up by many firewalls as a phishing website, was displaying debug information on some pages, and at one point was serving a plain text page that included a username and password log in to the web server the page was running on. All these security woes with the response page might not have been as big of a deal if it weren’t for the fact that the page was collecting your full name and 6 of your 8 digits of your SSN, as well as offering a place for users to sign up for the free 1 year of “protection” that Equifax is offering as part of their “we’re sorry”. Worse more is that by signing up for the free “protection” services they are offering, you have to agree to ToS that waives your right to participate in any lawsuits against Equifax regarding the breach (or at least that is how I understood it, I am not a lawyer, please read sited sources for more information). Another issue that one Twitter user pointed out is that the “security” PIN that is given to you when you freeze your credit with Equifax is just a MMDDYYHHMM time stamp. So far, it does not appear as though the community at large is too pleased with the way Equifax has handled this, and reports of lawsuits asking upwards of 70 Billion dollars in damages have been filed already against the company. It has also been reported that Equifax has no method in place for users to completely remove their information from the company’s records.
Who Is To Blame – Though not officially from Equifax, the reports are that the breach was caused by a vulnerability in the Apache STRUTS framework. Some reports indicate the vulnerability used to breach the Equifax servers was one that was disclosed in March of 2017 and patched by the software vendor soon after. As for the perpetrators of the crime, while currently unconfirmed, a duo calling themselves “firstname.lastname@example.org” has posted on twitter claiming responsibility for the breach. So far, mixed information has been released regarding the leaking of the information. Some reports indicate they are ransoming the data for as much as 600BTC, where as other sources say that all of the information (expect the 200k+ credit cards) will be leaked regardless of ransom on the 15th of September. To even further confuse things, a user on twitter going by @real_1x0123 uploaded a picture of a directory listing of a number of Equifax sub domains offering shell access to them for 1BTC (each presumably). Equifax refused to comment on either claims of extortion or continued control of certain subdomains by the attackers. One article reported that one of the subdomains on the list was accessible prior to the tweet of the list of compromised websites but is now not serving any data, thus implying that perhaps one of the domains has been overtaken / sold.
[UPDATE] – Thanks to some digging from a few community members, it appears that the badtouchxxxx.onion address and the pasthole@ email address, along with the content and promises made at the site are most likely belonging to scammers and not the actual attackers. More info can be found here.
What to do – The first cross roads in how to handle this situation comes in the form of “should you take the free services from Equifax?”. On one side, its a free service that presumably has some value and is the company’s way of attempting to make things right and help protect you their customer. On the flip side, signing up for these services requires you to waive your right to any sort of resolution via the court system in regards to this incident, and as some have pointed out, how valuable can you expect these services to be considering the current state of the company offering them. Regardless of if you sign up for the Equifax services, a smart plan would be to pay the small fee and have your credit frozen which will make it prohibitively difficult for a would be identity thief to steal your identity.
Going Forward – In the days and weeks to come it will be difficult for many Americans as the information stolen leaks out and the black hats of the world get their hands on it and begin their malicious doings, however we must try and learn from these mistakes. We need to investigate thoroughly the cause and failures in incidents like these, and when malfeasance is found we need to hold the guilty party accountable in order to defer the behavior that led to this incident in the first place. It is not enough for us to punish those who deserve blame, but we must also look at ourselves as a whole group and make improvements there. Why do we trust the “big three” credit bureaus with so much information? Why is this information not better secured? How can we incentivize companies to prioritize security and user privacy? What can we do to prevent identity theft / provide a recovery path for identity theft victims on a large scale?
I hope everyone enjoyed the break down, leave your thoughts in the comments and we can have a discussion as we wait for more evidence to trickle in. As I receive more news on the story I will periodically update the article, or depending on how it plays out may write an entirely new follow up article (which would also be linked here in an update).
Sources / Further Reading –