Equifax mega-leak: Security wonks smack firm over breach notification plan

A Wordpress site? Really?

Credit reference agency Equifax has been criticised for its breach response in the wake of the disclosure on Thursday of a megahack that affected the data of up to 143 million people in the US alone.

The credit reference agency admitted that criminals may have been able to access data including names, social security numbers, birth dates and more belonging to its US customers from mid-May after exploiting a vulnerable website application. There’s no evidence of unauthorised activity on Equifax’s core consumer or commercial credit reporting databases, according to the credit reference agency.


Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone


The breach was discovered on 29 July but Equifax only disclosed the problem 40 days later. “The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers,” it said.

Also accessed were "credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers.”

Personal information on an undisclosed number of UK and Canadian residents was also disclosed in the breach, Equifax admits. Specifics on what might have been spilled are unclear.

Data privacy watchdogs in the UK – namely the Information Commissioner's Office – are already in touch with Equifax, advising it to “alert affected UK customers at the earliest opportunity”.

Equifax had weeks to prepare for its breach notification, so its decision to do so via a basic Wordpress site (oh, err) using a free shared CloudFlare SSL cert is somewhat puzzling. “For some reason Equifax used the 6 weeks to set up a new domain asking for SSN numbers, with anonymous Whois on Cloudflare,” said security consultant Kevin Beaumont.

The whole approach already seems to have gone awry, with OpenDNS flagging up the site as a potential phishing locale in an apparent false positive. The Register has received emails from concerned readers who believed it may be a phishing site.

Free credit file check

Equifax's breach notification site - https://www.equifaxsecurity2017.com - invites consumers to “enroll and activate your complimentary identity theft protection and credit file monitoring product, called TrustedID Premier”.

While signing up to TrustedID Premier allows concerned parties to confirm whether or not they have been personally affected, some have voiced concerns that the wording of its terms of service may mean signing away rights to file a lawsuit and agreeing to arbitration instead. To manage demand, interested parties can’t sign up to TrustedID Premier immediately anyway, instead receiving a future enrolment date.

The service, once activated, is complimentary for the first year only.

“Equifax’s customer service and incident response may have been better if the potentially 143 million people affected were customers — they're not,” said Jeremiah Grossman, chief of security strategy at SentinelOne.

Criticism over the breach notification was widespread but far from universal. Some experts were more inclined to cut Equifax some slack.

“The Equifax breach announcement. Generally good, but a bit alarming that they knew in July and only announced now,” said breach notification guru Troy Hunt, the security researcher behind the haveibeenpwned breach notification service.

Rick Holland, VP of Strategy at Digital Shadows and a former incident responder, is even more sympathetic. Holland reckons a month to communicate the incident "is not that long". In a blog post, Holland speculated that the likely root cause of the breach was a SQL injection vulnerability. ®

Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022