In a press release posted on Friday, September 15th, Equifax said that the company’s Chief Information officer as well as Chief Security Officer were both retiring. The company named an interim executive to both positions.
Equifax says that the company’s security team first noticed suspicious traffic associated with their U.S. online dispute portal system on July 29th. The company blocked the traffic, but then took the application offline after noticing additional suspicious activity on July 30th.
The company identified a vulnerability in an open-source web framework software, Apache Struts, as the attack vector with which the company’s portal system was compromised. The vulnerability was originally identified and disclosed by U.S. Computer Emergency Readiness Team in March, 2017.
Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.
According to Equifax’s investigation into the incident, unauthorized access to their dispute portal and private customer information is believed to have occurred between May 13th and July 30th, 2017.
Personal information on up to 143 million U.S. residents as well as some from the UK and Canada was potentially accessed in a cybersecurity incident against Equifax, one of the three major U.S. credit reporting agencies.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents.
Equifax says a vulnerability in a website was exploited by the infiltrator(s) in order to gain access to certain files. However, the agency also says ‘no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases’ was found.
The company has created a portal for consumers to check if their information has been compromised; however, the site includes a disclaimer warning that anyone who does will waive the right to sue Equifax in a class action lawsuit or otherwise.
PSA: If you check Equifax's site to see if your data was stolen, you *waive your rights* to sue Equifax or be part of a class action suit. pic.twitter.com/p4AlmmLQ3r
— Zack Whittaker (@zackwhittaker) September 8, 2017