Breach Notification , Breach Response , Data Breach

Equifax Breach Probe: 145.5 Million US Consumers Exposed

Mandiant Investigators Find More US Victims, But Fewer Canadians' Data Exposed
Equifax Breach Probe: 145.5 Million US Consumers Exposed

Credit-reporting agency Equifax says its massive breach was even worse than it suspected.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Equifax says in a Tuesday news release that investigators have identified 2.5 million more U.S. consumers' personal details were exposed than they initially found.

As a result, the data breach victim tally for U.S. consumers now stands at 145.5 million, according to FireEye's Mandiant incident response group, which has been investigating the breach since early August.

Equifax says the greater count of breach victims comes via databases and tables already known to have been breached. "Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables," the company says in a statement. "Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process."

Mandiant's digital forensic investigation concluded about four weeks after it launched.

"I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released," Paulino do Rego Barros, Jr., Equifax's interim CEO, says in a statement.

Newly identified victims won't be able to find out that they were affected by the breach for up to five more days. Equifax says that the dedicated breach-notification site, www.equifaxsecurity2017.com, that it launched on Sept. 7, when it issued its first public notification about the data breach, will be updated by Oct. 8 with the details of the additional 2.5 million breach victims. The credit-reporting agency has also promised to directly notify these additional victims via postal mail notices.

Equifax has said that it was breached on March 10 by hackers who exploited a security flaw in its open source Apache Struts application framework. Apache on March 6 had released an emergency security update to patch a flaw that it said attackers were actively exploiting (see Equifax's Colossal Error: Not Patching Apache Struts Flaw). Equifax says that, after the intrusion, data appeared to have been stolen in May, but the theft wasn't discovered until late July.

Ex-CEO Faces Capitol Hill Hearings

Prepared Testimony of Richard F. Smith before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection.

The final tally of Equifax data breach victims was issued on the eve of its former CEO, Richard Smith, appearing Tuesday before the House Energy and Commerce Committee. That's the first of a trio of Capital Hill hearings at which Smith, who "retired" last week, is scheduled to testify this week (see Congress Grills Equifax Ex-CEO on Breach).

In his written testimony Smith blamed "human error and technology failures" for the breach. Equifax's security policies say that all flaws must be patched within 48 hours of a security alert being received. "We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched," Smith said in his prepared testimony.

For some reason, Equifax's security team failed to find the version of Struts that attackers exploited. "On March 15, Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue identified by U.S. CERT," Smith added. "Unfortunately, however, the scans did not identify the Apache Struts vulnerability."

More Breach Details

Extract from Richard F. Smith's prepared testimony.

More Canadians Exposed

Looking beyond the United States, Equifax said that while it initially suspected that 100,000 Canadians' personal details were exposed in the breach, Mandiant's "completed review subsequently determined that personal information of approximately 8,000 Canadian consumers was impacted."

Equifax says that it "will mail written notice to all of the potentially impacted Canadian citizens."

But Equifax is now warning that some of those Canadian victims had their payment card details exposed, which it had not previously found. Equifax has yet to reveal how many Canadians' payment cards were exposed, but it says that it is a subset of the 209,000 exposed payment card details that it initially ascribed to U.S. consumers alone.

The company has also said that 182,000 U.S. individuals' personal details were exposed via breached credit dispute documents.

British Investigation Completed

Data on British consumers that Equifax said it was inadvertently storing on U.S. servers was also exposed in the breach. Equifax has previously said that information on 400,000 U.K. consumers was exposed, and it has not revised that figure.

"The forensic investigation related to United Kingdom consumers has been completed and the resulting information is now being analyzed in the United Kingdom," Equifax says in a statement. The company adds that it is working with U.K. regulators to agree on how affected consumers should be notified.

Regulators in Britain and Canada have said they are probing the breach. If Equifax was found to have violated the U.K. Data Protection Act, it could be fined up to £500,000 ($663,000) by the Information Commissioner's Office (see TalkTalk Slammed with Record Fine Over Breach).

Multiple Lawsuits, Probes

The FBI has launched a criminal investigation into the Equifax breach. The credit-reporting agency also faces probes by the Federal Trade Commission and the U.S. Securities and Exchange Commission - including questions over suspiciously timed stock sales made by three senior executives, including the CFO.

Equifax also faces a raft of consumer lawsuits in the United States and Canada, and the prospect of financial services firms suing to attempt to recover losses and damages relating to exposed payment card accounts and card-reissuing costs.

"I want to apologize again to all impacted consumers," Barros, the interim Equifax CEO, says in a statement. "As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements."

Separately, an investigation by Information Security Media Group has found that Equifax's website in Australia was being used by scammers to host files tied to pirate live-streaming services for NFL and World Cup soccer matches, among other types of content. The link-spam schemes appeared to be designed to elevate scammers' content in search results, and raise further questions about Equifax's information security acumen (see Scammers Hosted Files on Equifax's Australian Website).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network