Equifax, one of the three major credit bureaus in the United States, announced a data breach that could affect 143 million people. The breach was discovered in late July and the attacker was inside their environment for nearly 12 weeks. The leaked data included names, birth dates, social security numbers, addresses, credit card numbers, and possibly driver’s license numbers.
The initial investigation revealed that the attackers exploited an application vulnerability on a public facing web server that allowed them to access the files containing personally identifiable information. This implies that Equifax left web applications that are the front-end to accessing sensitive information unpatched.
Most adults in the United States likely have a “dossier” with Equifax and are therefore impacted by this data breach. Equifax is offering a year of fraud protection services using their own service but be aware that after the free year of service you will likely be asked to purchase the service. Security experts have also recommended that you explore freezing your credit. When you freeze your credit file it prevents potential creditors from being able to view or “pull” your credit file unless you affirmatively “unfreeze” your file. This prevents identity thieves from obtaining credit in your name because even if they do apply for a credit line the frozen credit file prevents them from getting credit.
Brian Krebs wrote a detailed explanation on the difference between a “credit freeze” and “fraud monitoring”. It’s worth the read and can be found here:
Equifax has also provided a site related to this breach. You can find more information about it here.
This breach does present some lessons we can learn from at NSHE. We use servers to be the front-end to access sensitive information and these need to be kept up to date with the latest patches to prevent exploitation, compromise, and data loss. Our servers are part of a larger ecosystem for information access and attackers will exploit a vulnerability in one system then pivot to more sensitive information.
Additionally, the 12 weeks it took Equifax to discover this breach increased the amount of damage the attacker was able to inflict. On average, the “dwell time” (the time between compromise and detection) for an attacker is 145 days globally. That’s over four months of an attacker being in your environment and stealing data. While there is no such thing as 100% security and prevention, taking steps to increase our detection capability is necessary to reduce the dwell time in the event of a compromise.