The anger of the customers and companies who surround U.S. credit firm Equifax is continuing to swell after its attempts to contain a colossal cyber-breach faltered over the weekend. The attack compromised the highly sensitive information of 143 million – or 1/3 – of American citizens. This information includes names, birthdays, addresses, social security numbers and driver’s licence numbers, all of which can be used to commit fraud and identity theft. The credit card numbers of approximately 209,000 U.S. customers were also leaked.
The fallout has also spread to the UK, after it emerged on Friday night that Equifax subsidiaries represented British clients including BT, Capital One and British Gas – firms which also retain the information of their customers. An investigation by the Information Commissioner’s Office has since been launched.
Limited damage control
According to The Guardian, customers’ frustration continued to simmer over the weekend after the breach was publically revealed Thursday. Equifax has created a website and phone line allowing consumers to check if their information was compromised in the leak, however as of September 8th there were only 2,000 agents handling calls. The Guardian also reported that some callers were either kept on hold or simply told by the agents, who had no access to customer accounts, to visit the website. Accusations of random disconnects were also aired.
When customers arrive on the website, they are met with a feed describing how the company is expanding efforts to deal with the breach. At the bottom of the site, concerned individuals can provide their personal details to receive an immediate check on the status of their information. Here, U.S. customers can also sign up for free credit reports and ID theft insurance under a scheme titled ‘TrustedID Premier’, extending for a limited period of time.
But Jeff Pollard, Principle Security Analyst for American market research company Forrester, told The Guardian that Equifax had been unclear in public updates about what information had been compromised in the leak. He said: “When retailers get hit by a breach like this, it’s a single credit card that might get stolen, when Equifax it could be everything about the affected parties, and presumably linked to other things. We need more information from Equifax other than ‘your information was or possibly was accessed’.”
According to The Guardian, customers were angered even more after it was reported that those wishing to sign up to the TrustedID service waived their rights to pursue legal action against Equifax. However, a clarification has since been put on the dedicated website, informing consumers that they do not lose their rights to sue if they enrol for the TrustedID package.
A class-action lawsuit has in fact already been filed in Portland, Oregon. The claim alleges that Equifax cut corners on information security for the sake of saving money, and has been filed on behalf of ‘all others’, by Mary McHill (from Portland) and Brook Reinhard (from Eugene). McHill and Reinhard claim that the fallout from the breach has caused damages across the States, valued in excess of $68.6 billion. Several other U.S. law firms, including Holzer & Holzer, Khang & Khang and Levi & Korsinsky have launched similar investigations into potential securities law violations which Equifax may have perpetrated.
Outrage over Equifax reporting
Customers were first angered, however, when Equifax admitted that the breach had been detected around five weeks prior, on July 29th, but had decided not to announce it publicly. Even worse, according to The Telegraph, the breach could have occurred as early as mid-May. It was only on Thursday September 7th that the website and call centre, at first in a limited capacity, were made live.
The storm swelled after it emerged that three senior managers at Equifax sold stock before the cyber-attack – which would obviously cause shares to devalue – was made public. According to Bloomberg, three executives sold shares worth almost $1.8 million (£1.3m) in the days following Equifax’s initial discovery of the breach. However, Equifax has claimed that the trio (which includes the Chief Financial Officer and President of U.S. Information Solutions), were unaware of the incident before selling the shares.
Since the breach was made public on Thursday, shares in Equifax have indeed tumbled 14% in value.
A war of words
The Apache Software Foundation, an American non-profit corporation in support of the Apache open-source framework which Equifax uses for its corporate networks, has since rebuffed an accusation from media firm Quartz that its software allowed the hack to occur. The outlet alleged that the hackers may have exploited Apache Struts, which was reported by The Register last week as an exploitable software that allows malware injections.
In a blog post, René Gielen, Vice President of Apache Struts, said: “We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time it is not clear which Struts vulnerability would have been utilized, if any.”
René noted that the exploitable weakness as reported by media outlets had been patched since July, in which case either Equifax was running an outdated mode of Struts or the hackers who breached the network had exploited a vulnerability not known at the time (named a ‘Zero-Day-Exploit’). René also rebuffed the accusation that the Struts software has long-existing weaknesses, and levied that software engineers at Equifax could have rewritten the Struts code for a desired outcome, and not taken the potential side-effects into account.
René concluded by offering advice to any firm wishing to use open-source software as a component of their networks. René said: “Understand which supporting frameworks and libraries are used in your software products and in which versions. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. Establish monitoring for unusual access patterns to your public Web resources.
“Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax.”
Is the UK affected?
An investigation as to whether the incident will affect UK consumers was launched on Friday by the Information Commissioner’s Office (ICO). According to The Telegraph, Equifax holds the personal data of up to 44 million British consumers through its subsidiaries, with most completely unware of this fact. Equifax and its subsidiaries have allegedly dealt with many UK-based companies, the largest of which include BT, Capital One and British Gas.
The ICO has urged Equifax to notify any affected UK customers as soon as possible. Deputy Commissioner James Dipple-Johnstone said: “Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern. We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised.
“In cyber-attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.”
In an update on the Equifax breach website, the company confirmed that a number of UK citizens’ details may have been exposed. Equifax said: “As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents.
“Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.”