Equifax reported on Sept. 7 that it discovered a breach on July 29 which affects roughly half of Americans, many of whom don't realize they have dealings with the company. Hackers got away with social security numbers, addresses, and driver's license numbers, foreshadowing a "nuclear explosion of identity theft." Let's explore what really happened and what you and those around you can do to protect yourselves.
We will work to keep this article up to date with information on the security breach as the details become more clear over the next few days. For some guidance on the severity and impact of this breach that affects so many people, let's go to the Equifax press conference.
Sorry, that was an executive summary of the Equifax's response so far. Suffice it to say, it is not going well. Here is the actual way they chose to inform customers about the breach.
Data breaches come in different forms and sizes, and some are worse than others. Those that involve identity information are bad, but what's worse is when hard to change information like someone's social security number is involved. People thought it was bad when health insurer Anthem got hacked and lost 80 million current and former customers data in 2015. Now enter Equifax, with it's data breach of 143 million Americans information (which equals approximately half the US population) and one can see why Morgan Wright described it to Fox Business as "the nuclear explosion of identity theft."
This is not the worst breach of all time by a long shot in terms of pure numbers. That distinction goes to Yahoo ... They had a leak involving more than a billion users.
But this leak is particularly worrisome because Equifax is a credit reporting service and tracks a history of your consumer life, credit cards, credit scores and more — and it gives the black market a potential gold mine of information about people's financial lives.
If you are concerned about how many times your identifying information may have been leaked in major hacking attacks in the last four years, there are tools to help you find out. You can check out Have I Been Pwned, as well as The New York Times tool.
On July 29, 2017, Equifax uncovered a vulnerability, saying that hackers "exploited a U.S. website application vulnerability to gain access to certain files." It is now believed, based on the following report, that the vulnerability was a part of an open-source Java web application building framework called Apache Struts.
Thanks to its open-source nature, Struts has become wildly popular with Fortune 100 companies where 65 percent of them use it including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader's Digest, Office Depot, and Showtime. Unfortunately for them, and Equifax in particular, 2017 has already seen at least two vulnerabilities in Struts discovered, one in March and another on Sept. 4. However, it's unclear which of these vulnerabilities the hackers may have used.
The vulnerability revealed on Sept. 4 by Security researchers at lgtm has existed in Struts since at least 2008.
This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data.
To take advantage of this issue, all one needs is a browser, an internet connection, and some very basic information about how the bug works. You can learn more about how this vulnerability was discovered by reading Man Yue Mo's blog post on lgtm. This vulnerability has been patched by Struts in its most recent updates, 2.3.34 and 2.5.13.
The older March vulnerability can be found on Rapid7's Vulnerability and Exploit Database. It is equally as bad, making it trivial to hack and run any command you want to on a Struts system. This vulnerability allows a hacker to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header. This works because of the way that the Jakarta Multipart parser mishandles file uploads.
What this all means is that the hackers had two vulnerabilities in the Struts system to chose from. The Baird Equity Research report, however, only states that they used "a vulnerability," so it's unclear which one the hackers employed. The hackers proceeded to use the vulnerability to steal the sensitive data of 143 million unsuspecting Americans, which could have allowed them to delete data as well.
Once Equifax discovered the breach, they hired a "leading, independent cybersecurity firm" to perform a forensic review and discover the size and scope of the breach. Equifax then waited over a month, until September 7, to disclose the breach to the public. They didn't say why they waited so long, but it isn't uncommon for companies to do the same when they are in similar situations. It is possible that they waited at the request of law enforcement so that the law had time to work before the hacker knew they were discovered. To learn more about why it can take so long to disclose a breach publically, The Washington Post sums it up nicely.
Meanwhile, three senior executives went about selling their Equifax shares, worth almost $1.8 million, before the hack went public. This turned out to a good idea, as Equifax Inc. (EFX) lost nearly 14 percent of its value or $2 billion on Friday, Sept. 8, after the news broke. The company claims that the three had no knowledge of the hack, and the sales only represented a small portion of each individual's stock portfolio. Regardless, the action seems very suspicious, and undoubtedly will be investigated further.
According to Equifax's official statement, a lot of information has been compromised.
Most of the consumer information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed. In addition to this site, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. We have found no evidence of unauthorized access to Equifax's core consumer or commercial credit reporting databases.
Not all data breaches are alike, and this one poses a unique challenge. Not all of the people affected may be aware. Credit card companies, banks, retailers, and lenders all send massive amounts of data to companies like Equifax. In addition to this, they also leverage public records, which means that some of your data could have been revealed without you having ever directly dealt with Equifax. In fact, it is likely that many millions of people will find themselves in that exact situation of having never dealt directly with Equifax, but still having their information stolen.
Often, us Null Byte readers are the first to explain these kinds of attacks to the less tech-savvy family members, friends, and coworkers. Below, we will look at some of the steps you can take to secure the identities of yourself and your loved ones in the wake of this incident.
Equifax is attempting to provide some consolation to customers in the form of a free year of its TrustedID Premier service, which will provide credit monitoring, reports, and $1M Identity Theft Insurance.
No Class or Representative Arbitrations. This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This class action waiver provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.
The legalese above required that you sign away your right to sue Equifax, instead agreeing to mandatory arbitration, which is a questionable tactic with a checkered past because of how it bans you from being a part of a class-action lawsuit. The Consumer Financial Protection Bureau recently put in a rule to ban these types of clauses.
After the debacle described, above Equifax issued a new statement that attempts to clarify the arbitration clause, which you can see below.
To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cyber security incident does not prohibit consumers from taking legal action ... to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.
You would think that Equifax would have thought about this sort of thing in the month it had to prepare. Apparently, it just slipped their mind. There is already at least one class-action lawsuit already in the works, so you're chances of joining one now are good.
If you do decide to use TrustedID Premier, then follow this link and fill in your last name and last 6 digits of you social. After that confirm your human status.
Nice, it doesn't look like Hoid was affected. But what about Mr. Test, and his social security number containing last six digits 123456?
Mr. Test, you poor unfortunate soul! In either case, you can still click the Enroll button, and get a less-than-useful date a week or more from now to actually enroll. Better hope you remember, because you aren't going to get a reminder. On your enrollment date, head to this page to finish enrolling by November 21, 2017.
What is a credit freeze, and what is an alert? When you freeze your credit, anyone trying to open credit will be asked for a PIN, which you set over the phone when you freeze it. A fraud alert is similar; credit card companies must verify your identity before opening an account.
If you found that your data was breached in the last step, then you will want to activate a fraud alert. This is is free and easy. Even if your data wasn't hacked, yet you still may want to do this. The service is free, and offered by all the major credit reporting agencies. You can find the form on TransUnion, but remember to only do it with one of the companies. Click on the "place a fraud alert" button and follow the steps provided. This puts a flag on your identity, which makes it much more difficult to defraud. You may also be interested in Krebs on Security's more detailed article on the subject.
To freeze your credit, you can call the numbers below and set a PIN.
- Equifax: 1-800-349-9960
- Experian: 1-888-397-3742
- TransUnion: 1-888-909-8872
When you freeze your credit files with Equifax, it gives you a PIN. However, they don't use a strong PIN, which should be treated just like making a strong password. It would be easy for Equifax to use a random number generator for its PINs, but instead, it uses the date and time of your freeze with the format MMDDyyHHmm. And as pointed out in a Twitter post by Tony Webster, they have been using this format for over a decade.
This makes it very easy for a hacker to brute-force the PIN. At ten digits long, you have a one in ten billion chance to pick the right one, but by using this format, the odds are closer to one in 5,000. Let's look at why.
Since there are only 12 months, the first number is limited to 0 or 1, and then since no month has more than 31 days, the third number will never be more than 3. You can continue to reduce the possibilities by discounting PINs before the Sept. 8, because no one knew about the hack yet. This leaves you with a fairly easy number set that can be quickly brute-forced. That being said, you can still freeze with the other two credit agencies, and put out a fraud alert.
You may not realize it, but each of the major credit reporting agencies (Equifax, Experian, and TransUnion) offers you a free credit report once per year. We can use this cleverly to check our credit for free every 4 months with a different credit agency. If you want more detailed information, USA.gov describes how the process works.
To actually check our credit, we need to go to this page. The link will be here if you live in the UK. You'll have to fill out a bunch of personal information and complete a captcha. After this, you will be taken to the following page.
The best idea would be to pick only one of the three, and then come back and do the same process every 4 months. Look for anything out of the ordinary when you get your report, such as new accounts you didn't open, late payments, debts you don't recognize, and so on. Even if the credit report comes back clean, remain vigilant.
You shouldn't have to be told this one, but as a friendly reminder, check your credit card and bank statements. Try to recall all of the transactions you've made — do any of them look out of the ordinary?
This one is simple, if you're putting all your information on Facebook, Twitter, Instagram, and other social media then you are just making the identity thief's job super easy. First and foremost, set stricter privacy settings. For example, on Facebook, strongly consider limiting all the bio information you can to "friends only." Your birthday, hometown, and other information can be used against you, to create new accounts and solve security questions.
If you do discover evidence that your identity has been stolen, such as open credit cards, loans, or re-opened accounts, then immediately alert your bank and credit card companies. You are not responsible for fraudulent charges, as long as you report them. Additionally, you will want to go and report it to the Federal Trade Commission.
It's hard to quantify the damage a breach like this can do, as often the worst is not apparent until much later, when identity thieves assume everyone has moved on and forgotten about the breach. We hope that this article gives you a better understanding of what happened, and what you can do to secure your identity, and help explain those things to anyone who may not understand the kind of impact this may have on them.