Cause and Effect of the Equifax Data Breach

Equifax,  the American consumer credit reporting agency reported that they were the victim of a  cyber attack, resulting in a data breach in May 2017. The breach was discovered by Equifax in July and the company only got around to telling their customers and the world in mid September. The indecent has earned a great deal of attention in the media not only due to this shocking timeline but the breach is also the second largest in history with over 143 million Americans being affected. Here’s the Hackarma:

Cause:
Equifax has stated on their ironically entitled Equifax Security 2017 website, www.equifaxsecurity2017.com/ that the cause of the massive data breach was a flaw it should have patched weeks before it was attacked. The company has updated its  site with a new “A Progress Update for Consumers” that reads:

Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

Effect:
The personal data of 143 million US consumers in their database (nearly half the country) was potentially compromised. The breached data includes names, social security numbers, birth dates, addresses and driver’s license numbers, all of which can be used fraudulently to validate the identity of someone trying to open a bank or credit account in another person’s name. The UK arm of Equifax said files containing information on around 400,000 UK consumers was also accessed in the breach. They have said data on Britons was being held in the US due to a “process failure” which meant that a limited amount of information was stored in North America between 2011 – 2016. The information included names, dates of birth, email addresses and telephone numbers. No addresses, passwords or financial data was involved. Equifax has said that because the data on UK citizens was limited it was “unlikely” that those affected would suffer identity theft.