U.S. credit reporting agency Equifax has confirmed that an Apache Struts vulnerability exploited in the wild since March was used to breach its systems and cause possibly one of the worst leaks of highly sensitive personal and financial information.
Equifax informed customers on September 7 that hackers had access to its systems between May and late July of this year. The breach affects roughly 143 million U.S. consumers: their names, Social Security numbers, birthdates and addresses and, in some cases, driver’s license numbers. What’s worse, recent reports note that Equifax waited more than two months to apply a known patch may have prevented the data breach.
The fallout from the breach continues: several Equifax C-suite executives have stepped down, and the Federal Trade Commission said it is investigating the data breach, and New York's Senator Chuck Schumer said the company's CEO and board should be held accountable.
Individuals in the U.K. and Canada are also affected, and a class action has already been initiated by Canadian consumers. All the while, identity protection providers stand to make record profits from the Equifax blunder. Some providers, such as LifeLock, actually use Equifax services as part of their core offering. This is an unfortunate relationship for those looking to avoid using Equifax or contributing to its bottom line.
The full impact of the breach may not be ever known, as many people will have their identities stolen or learn that credit cards were opened in their name without their knowledge. The stolen information will be used by attackers to initiate account resets via password reset/forgot password links, to “verify” identity for phone-based verifications, and overall, enable identity fraud and theft.
What should consumers and technology providers do to protect themselves?
Consumers:
There are numerous ways for consumers to minimize the impact and to protect themselves from identity theft and fraud:
- Set up two-factor authentication immediately where available, especially for email, payroll and banks, which offer two-factor authentication. It’s an extra layer of security that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately on hand. It makes it harder for potential intruders to gain access and steal that person's personal data or identity.
- Actively monitor your credit reports (not just annually).
- Actively and regularly monitor debit and credit accounts for unexpected transactions.
- Consider implementing credit freezes. This is available for a small fee from each bureau. There are also fees to “thaw” frozen accounts after each occurrence, although most customers do not have a need to regularly thaw their credit report. Equifax is currently offering this service free of charge after public feedback. Find out more (http:/clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/).
- Set a free fraud alert at one of the following sites:
- Notify family and friends that you may have been breached, and advise them to also take action to protect themselves.
NTT Security doesn’t recommend that you do not enter your information into any site to validate if you have been compromised, including the verification site managed by Equifax called TrustedID. The breach affects 143 million Americans, which is half of the U.S. population, so it’s safe to assume you are impacted by the breach. The TrustedID service, because it’s run by Equifax, which was breached, should be viewed with some caution at this time.
What Can Technology Providers or Implementers Do?
Information technology and security implementers aren’t safe from the breach either: many of their identity verification factors are potentially compromised, as well. Technology providers and implementers should reset passwords, incorporating as many additional factors as feasible. These password reset factors should always meet or exceed the primary authentication method’s controls.
In addition, consider the following and additional security controls in your basic security practices:
Preventive
- SMS verification (2FA).
- Hardware/software token (2FA).
- Email verification (2FA).
- Automated voice verification systems (2FA).
- Generic error messages. Do not confirm/deny an account’s existence in errors messages.
- Time-delay between authentication attempts.
- Adjust help desk reset procedures as necessary to incorporate new controls.
- Inventory where and how personal information is used in your organization for identity verification.
- Notify employees of this breach.
- Consider disabling internet-based reset functions if not required.
- Encrypt sensitive information at rest, including account reset questions.
- Communicate to your clients/consumers what you are aware of the situation and monitoring things closely.
- Plan ahead. Include a breach URL, DNS record or contact information as soon as possible. The archives of the internet will capture historical content which can help provide some assurance to site visitors in the event of a breach.
Detective
- Consider technologies such as CAPTCHA to fend off attackers targeting large amounts of users.
- Implement detective controls to alert on failed attempts, multiple successful resets from singular sources, and other irregular activities.
Corrective
- Block IP addresses of suspected threat actors based upon detected activities.
- Lock accounts suspected of unauthorized access.
- Require administrative unlock.
Cybersecurity experts are calling the Equifax breach a 10 out of 10 on the catastrophe scale – with the negative consequences potentially lasting for decades, and the full impact never fully realized. This breach will impact millions of Americans and businesses for years to come. Consumers and vendors can be proactive with their personal data by implementing strong authentication methods, maximizing preventive controls and actively monitoring accounts and activity.