Breach Response , Data Breach , Data Loss

Equifax: US Breach Victim Tally Stands at 146.6 Million

Unpatched Struts Implementations Remain Widespread, Researcher Warns
Equifax: US Breach Victim Tally Stands at 146.6 Million

Data broker Equifax continues to field queries from lawmakers about the full extent of its massive 2017 data breach (see Equifax Discloses 2.4 Million More Mega-Breach Victims).

See Also: Live Webinar: Dismantling Bot Armies With Behavioral Biometrics

Equifax said on Friday that in response to requests for additional information, it's shared more breach details with several U.S. Congressional committees. Notably, the data broker said that its breach investigators found that consumers had uploaded images of various government-issued identity documents that were exposed in the attack, including 38,000 driver's licenses, 12,000 Social Security or taxpayer ID cards, and 3,200 passports.

Thankfully, the data broker hasn't revised its breach tally, which for U.S. consumers stands at 146.6 million individuals.

"Equifax is confident that the additional detail about the 2017 cybersecurity incident does not identify new stolen data or newly impacted consumers and does not require additional consumer notification," the company says in a statement. "Equifax is committed to working with Congress and providing accurate information about the cybersecurity incident."

Breach Victim Tally

Data stolen in the 2017 Equifax data breach. Note: Some consumers had multiple personal details stolen. (Source: Equifax)

On Monday, Equifax reported via an 8-K filing and statement for the record submitted to the U.S. Securities and Exchange Commission that its tally of U.S. breach victims is approximate, owing, in part, to different database tables having elements that were "were not consistently labeled."

Equifax's statement explains: "For example, not every database table contained a field for driver's license number, and for more common elements like first name, one table may have labeled the column containing first name as 'FIRSTNAME,' another may have used 'USER_FIRST_NAME,' and a third may have used 'FIRST_NM.'"

But the company says it believes that it's now identified all consumers whose personal details were exposed. "With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the impacted consumers and Equifax's notification obligations," it says, adding that all U.S. victims have been notified.

Equifax's current tally of breach victims includes:

  • 143 million U.S. consumers whose names, Social Security numbers, birthdates, addresses and - in some instances - driver's license numbers were exposed.
  • 182,000 U.S. consumers for whom "certain dispute documents with personal identifying information" were exposed.
  • 15 million U.K. consumers, of which about 860,000 are at risk of identity theft.
  • 8,000 Canadian consumers.

New CISO Creates Fusion Center

Equifax's breach led to the departure of CEO Richard Smith and CSO Susan Mauldin, among others.

Following the breach, the company in February hired Home Depot veteran Jamil Farshchi as its new CISO.

Farshchi last week told the Wall Street Journal that he's been overhauling Equifax's approach to cybersecurity as well as disaster response. He's created a so-called fusion center - blending information security, physical security and crisis management, and aimed at facilitating better information sharing - inside Equifax that's modeled on how some public sector entities handle emergency response.

"Especially coming out of a breach, there are a tremendous number of demands from a security standpoint because everything becomes priority one," Farshchi told the Wall Street Journal.

Equifax Failed to Patch Struts

Now-former Equifax CEO Smith blamed the breach on a single employee having failed to patch the company's Apache Struts web application implementation after an emergency patch was issued for Struts (see Equifax Ex-CEO Blames One Employee For Patch Failures).

Last October, Smith told a Congressional committee that Equifax issued an internal alert on March 9, 2017, instructing all administrators to update Struts. But he said that at least one Struts application wasn't patched, or caught by March 15 scans looking for vulnerable implementations.

Equifax said an attacker targeted and exploited the Struts flaw to gain access to its systems on March 10. Later, it said, the attacker exfiltrated massive amounts of data over a three-month period.

Unpatched Struts Implementations Abound

Equifax's failure to patch or catch the vulnerable Struts implementation had consequences that are now well known. But the company is far from the only organization that has been using Struts and failing to keep it fully patched.

"Equifax was not alone," says Derek E. Weeks, a DevOps advocate at cybersecurity startup Sonatype, which tracks code used by software developers.

From March 2017 through February 2018, nearly 11,000 organizations downloaded a version of Apache Struts that included known flaws, Weeks said in a presentation at last month's RSA Conference in San Francisco titled "We Are All Equifax."

In "We Are All Equifax," an RSA Conference 2018 presentation in San Francisco on April 16, Sonatype's Derek Weeks describes the degree to which developers use software components that have known flaws.

According to a list posted by Weeks on Monday, many more organizations than Equifax appear to have been breached via attackers who exploited known, unpatched flaws in their Struts implementations.

"Everyone knows the Equifax story, but for folks like me who have been paying closer attention, the story also includes the Canadian Revenue Agency, Okinawa Power, the Japanese Post, the India Post, AADHAAR, Apple, University of Delaware, and the GMO Payment Gateway," he says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.