CyberWisdom Safe Harbor Commentary on Equifax Report
In mid-May 2017, malicious attackers took advantage of a known exploit in the Apache Struts development framework to gain unauthorized access to the Equifax system. The company said irregularities affected about 145 million users – primarily in the United States, but also in Canada and the United Kingdom – including their Social Security numbers, birth dates, addresses and in some cases driver’s license numbers, payment cards and dispute documents.
Confidential documents sent by the Equifax to the Senate Banking Committee (CNN and The Wall Street Journal saw copies of the documents) show that in addition to the license numbers, hackers may have stolen tax numbers, e-mail addresses, and driver’s license information.
In response to news Equifax Report, Equifax said its initial disclosure was never intended to include all types of information that could be compromised.
US Senator Elizabeth Warren Staff on Equifax Report
US Senator Elizabeth Warren called on Equifax to clarify the “conflicting, chaotic, and incomplete information” the company described to the public and Congress.
According to Senator Warren, Equifax informed the Banking Commission in early October that the database tables that attackers might access also include passport numbers, but credit reporting agencies now claim the passport has not been damaged.
“As your company continues to post incomplete, confusing and conflicting statements and hides information from Congress and the public, it is clear that five months after the leak, Equifax has not yet fully answered this simple question: How Accuracy Is Noncompliant? “Senator Warren wrote in a letter to Equifax.
Senators gave Equifax a week’s time to provide a complete and complete checklist of data elements that confirmed or considered the data elements compromised and set out a timeline for determining the extent of the incursion.
Senator Warren released a 15-page Equifax Report last week that included her investigation of a four-month failure on Equifax. A legislator’s investigation found that the company has put in place an effective system to prevent data security incidents, ignored numerous warnings about customer data risks, failed to disclose irregularities to stakeholders in a timely manner, and provided consumers with insufficient help And information. The report also said that Equifax uses a federal contract loophole to force the IRS to sign the contract.
Earlier this year, Senators Warren and Mark Warner introduced a law that will punitive powers the Federal Trade Commission (FTC) for the harsh cyber-security practices in the credit reporting industry. The act is to deal with Equifax default.
Earlier this month, Reuters reported that Mick Mulvaney, head of Consumer Financial Protection (CFPB), had stopped a survey of Equifax offenses. After the news came out, 32 senators wrote to CFPB asking for more information about the investigation.
Equifax Report Summary from ‘Bad Credit: Uncovering Equifax’s Failure to Protect Americans’ Personal Information’
Equifax Set up a Flawed System to Prevent and Mitigate Data Security Problems. The breach was made possible because Equifax adopted weak cybersecurity measures that did not adequately protect consumer data. The company failed to prioritize cybersecurity and failed to follow basic procedures that would have prevented or mitigated the impact of the breach.
- Equifax Ignored Numerous Warnings of Risks to Sensitive Data. Equifax had ample warning of weaknesses and risks to its systems. Equifax received a specific warning from the Department of Homeland Security about the precise vulnerability that hackers took advantage of to breach the company’s systems. The company had been subject to several smaller breaches in the years prior to the massive 2017 breach, and several outside experts identified and reported weaknesses in Equifax’s cyber defenses before the breach occurred. But the company failed to heed – or was unable to effectively heed – these warnings.
- Equifax Failed to Notify Consumers, Investors, and Regulators about the Breach in a Timely and Appropriate Fashion. The breach occurred on May 13, 2017, and Equifax first observed suspicious signs of a problem on July 29, 2017. But Equifax failed to notify consumers, investors, business partners, and the appropriate regulators until 40 days after the company discovered the breach. By failing to provide adequate information in a timely fashion, Equifax robbed consumers of the ability to take precautionary measures to protect themselves, materially injured investors and withheld market-moving information, and prevented federal and state governments from taking action to mitigate the impacts of the breach.
- Equifax Took Advantage of Federal Contracting Loopholes and Failed to Adequately Protect Sensitive IRS Taxpayer Data. Soon after the breach was announced, Equifax and the IRS were engulfed in controversy amid news that the IRS was signing a new $7.2 million contract with the company. Senator Warren’s investigation revealed that Equifax used contracting loopholes to force the IRS into signing this “bridge” contract, and the contract was finally canceled weeks later by the IRS after the agency learned of additional weaknesses in Equifax security that potentially endangered taxpayer data.
- Equifax’s Assistance and Information Provided to Consumers Following the Breach was Inadequate. Equifax took 40 days to prepare a response to the public before finally announcing the extent of the breach– and even after this delay, the company failed to respond appropriately. Equifax had an inadequate crisis management plan and failed to follow their own procedures for notifying consumers. Consumers who called the Equifax call center had hours-long waits.
The website set up by Equifax to assist consumers was initially unable to give individuals clarity other than to tell them that their information “may” have been hacked – and that website had a host of security problems in its own right. Equifax delayed Bad Credit: Uncovering Equifax’s Failure to Protect Americans’ Personal Information Prepared by the Staff of Senator Elizabeth Warren 2 their public notice in part because the company spent almost two weeks trying to determine precisely which consumers were affected by the breach – but then failed to provide consumers with any specific information to determine if their data was breached. And while Equifax continues to publicly state only that data was “accessed,” the company has confirmed that the data was exfiltrated – stolen – from their systems and downloaded by the hackers.
Equifax appeared to be more focused on using the breach as a profitmaking opportunity for other company services rather than providing redress to consumers as the Equifax Report mentioned.
- Federal Legislation is Necessary to Prevent and Respond to Future Breaches. Equifax and other credit reporting agencies collect consumer data without permission, and consumers have no way to prevent their data from being collected and held by the company –which was more focused on its own profits and growth than on protecting the sensitive personal information of millions of consumers. This breach and the response by Equifax illustrate the need for federal legislation that (1) establishes appropriate fines for credit reporting agencies that allow serious cybersecurity breaches on their watches; and (2) empowers the Federal Trade Commission to establish basic standards to ensure that credit reporting agencies are adequately protecting consumer data.
Read the rest of the report and
New Details Surface on Equifax Breach
Documents provided recently by Equifax to senators revealed that the breach suffered by the company last year may have involved types of data not mentioned in the initial disclosure of the incident. read more New Details Surface on Equifax Breach
Turns out the Equifax hack was even worse than we thought … Listen to video interview
The 145.5 million people impacted by the Equifax breach may have had their tax identification numbers, email addresses, and driver’s license information stolen. Turns out the Equifax hack was even worse than we thought
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »