uniport.blogg.se

1. Equifax data breach analysis update#
2. Equifax data breach analysis Patch#
3. Equifax data breach analysis Offline#

This was all while its call centers were overloaded, and many struggled to get basic questions answered.

Equifax data breach analysis Offline#

The site was later pulled offline after another security researcher found a flaw in the credit freezing site that let an attacker siphon off sensitive consumer data. When concerned consumers finally got through to the site, they were offered Equifax’s own credit freezing service, which was kicking out weak PIN numbers - the one and only thing that was protecting consumers’ already fragile credit. Then the site was quickly impersonated - and was inadvertently linked to by Equifax’s own social media staff. When Equifax’s “are you at risk?” website wasn’t crashing, it was spewing out incorrect results. Two more months later, Equifax went public.

“Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented,” said the report.

Equifax data breach analysis update#

It took another two months for Equifax to update the expired certificate, at which point staff “immediately noticed suspicious web traffic.” Even Equifax’s own former chief information officer David Webb - who also “retired” following the incident - told House investigators that the whole incident could have been prevented had the company updated the vulnerable Struts system within two days of the patch’s release. “Equifax did not see the data exfiltration because the device used to monitor network traffic had been inactive for 19 months due to an expired security certificate,” the report said. In fact, it was just another example in the company’s cavalier attitude toward data security, the House report found.

Equifax data breach analysis Patch#

The attackers used the vulnerability to pop a web shell on the server weeks later, and managed to retain access for more than two months, the House panel found, and were able to pivot through the company’s various systems by obtaining an unencrypted file of passwords on one server, letting the hackers access more than 48 databases containing unencrypted consumer credit data.ĭuring that time, the hackers sent more than 9,000 queries on the databases, downloading data on 265 separate occasions.Įquifax’s former boss Smith passed the buck onto a single IT staffer for failing to patch the Struts system. The unpatched Apache Struts server was powering its five-decades-old(!) web-facing system that allowed consumers to check their credit rating from the company’s website. The credit agency failed to patch a disclosed vulnerability in Apache Struts, a common open source web server, which Homeland Security had issued a warning about some months before.

The report confirmed most of what was already known, but added new color and insights that were previously unreported. “Such a breach was entirely preventable,” said the report. Smith boasted that the credit giant held “almost 1,200 times” the data held in the Library of Congress every day, but the House report said that Equifax had “failed to implement an adequate security program to protect this sensitive data.” The House report was scathing, criticizing the handling of the hack by Equifax’s former chief executive Richard Smith - who went on to “retire” following the breach. Yet, to date, the company has faced almost no repercussions, despite a string of corporate failings that led to one of the largest data breaches in history.

with that figure later rising to 148 million consumers.

Some 143 million consumers around the world were affected - most of which were in the U.S., but also Canada and the U.K. It comes a little over a year after Equifax, one of the world’s largest credit rating agencies, confirmed its systems had fallen to hackers. A House Oversight Committee report out Monday has concluded that Equifax’s security practices and policies were sub-par and its systems were old and out-of-date, and bothering with basic security measures - like patching vulnerable systems - could’ve prevented its massive data breach last year.