On July 29 Equifax, the credit card company provider discovered a security breach in its servers. Further investigation revealed that the company has suffered from a major criminal security breach which had exposed personal credentials of almost 143 million consumers across the US.
The attack exposed a range of sensitive personal data, including names, addresses, Social Security Numbers, dates of birth and driver’s license numbers, Equifax said. The attackers also gained entry into the data port of credit card data for about 209,000 consumers and credit dispute information for about 182,000 consumers.
CEO Richard Smith seemed disappointed and apologetic.” We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of all of our security operations.”
Equifax is responding effectively to the crisis. They have hired an outsourced cybersecurity firm to look through their systems. The CEO also sent video and written apologies to the relevant parties.
Equifax has provided its costumers with a help portal that allows them to know if their credentials have been compromised through a social security number scan. They also are contacting customers directly through email in case the company discoveries a consumer who has been under the range of the attack.
New York Attorney General Eric Schneiderman released a customer service message on last Friday urging all and any New Yorker to check if their details had been exposed. Equifax has also provided dedicated call center 866-447-7559 where customers can determine if they have been affected by the breach. The call center is open every day (including weekends) from 7:00 a.m. to 1:00 a.m. Eastern time
Data concentrated companies need to understand that cybersecurity is not a department that flourishes proportional to investment in it.
On Tuesday, 36 US senators called for a federal investigation into how three company executives came to sell nearly $2m (£1.5m) worth of shares in the company in the interim. Equifax is also facing dozens of legal claims over the matter.
Several law firms — Levi & Korsinsky, Khang & Khang, Holzer & Holzer, and others — already have launched investigations into potential securities law violations by Equifax. The firm’s stock plunged more than 13 percent on Friday on the news
But that is not the worst of it.
On 14 sept Cyber-crime blogger Brian Krebs, accused the company of another security breach on the account of minimal security, putting more customer data at risk in Argentina.
In his blog, he said that an employee tool was so poorly protected that the login and password were both “admin”. This means anyone could waltz in and access national identity card numbers of thousands of customers.
After being informed of the new breach, Equifax has taken down the affected website and later on issued a statement that the Argentinian breach has nothing to do with the security breach in the US.
To the bloggers’ extraordinary shock, he found that the password and login of most employee tools were either their names or a mix of their initials. This lets him in all the complaints made on the website by the customers along with their credit card credentials.
“This kind of security vulnerability is extraordinary as even the most basic of checks should reveal this,” Prof Alan Woodward from the University of Surrey told the BBC.
“It’s outrageous that any organization that holds such sensitive personal data can build a portal with this kind of basic security vulnerability.
“It simply shouldn’t happen and responding that they have now fixed the issue is not the point: it puts a huge question mark over whether Equifax has been applying the appropriate resources to online security elsewhere.”
