Last week, Equifax announced a data breach impacting 143 million U.S. consumers. According to the company’s release, information accessed includes names, Social Security numbers, birth dates, addresses and some driver’s license numbers. Credit card numbers for over 200,000 Americans, as well as “dispute documents” with personal identifying information for 182,000 additional U.S. consumers, were also accessed.
This marks the second Equifax hack of 2017, following an incident earlier this year when the company compromised W-2 tax data from Equifax subsidiary, TALX.
Hackers Exploited Application Vulnerabilities to Gain Access
Equifax reports hackers gained access to data files by exploiting “a U.S. website application vulnerability.” Baird Equity Research specifically points to a vulnerability in an open-source software package called Apache Struts.
The Apache Struts framework is used by at least 65% of Fortune 100 companies. The framework has known vulnerabilities, two of which were discovered in 2017. It is still unknown at this time what Struts vulnerability was targeted in the attacks.
A Delayed Response
Equifax has taken significant criticism for its response to the breach. Critics report the hack took too long to detect (2.5 months) and too long to report to those affected (over a month). Security experts suggest Equifax may have prevented the attack with better audits of its web application security.
New Equifax Phishing Template from SecurityIQ
In response to the breach, InfoSec Institute just released a new Equifax phishing template on its SecurityIQ platform. This new tool will prepare your workforce for phishing attacks trying to capitalize on the recent Equifax breach. The new template uses drive-by and data-entry attack methods to trick enrolled learners into entering credentials into a simulated Equifax consumer protection site.
Three Key Lessons from the Equifax Incident
Regardless of why or how the Equifax breach occurred, much can be learned from this unprecedented incident. Here are three key lessons from the Equifax incident:
- Information security demands a multilayered approach. Hackers have access to an incredible (and growing) resource bank to execute their attacks. It’s essential your information security strategy includes multiple layers for threat prevention and detection. InfoSec Institute has a variety of training programs available to ensure your security team is armed with the information they need to prevent — and detect — security threats.
- Information security is ever evolving. Security experts work hard to expose vulnerabilities in web applications to help organizations identify risks and apply critical security patches. However, hackers also have access to this information, so timely updates are essential. Staying involved in groups like OWASP can help you identify vulnerabilities in existing applications and apply secure coding practices to internally developed applications. InfoSec Institute’s OWASP modules for developers can also help your team stay current on the latest threats.
- Information security extends beyond the IT department. Although phishing was not likely used in the Equifax attack, it continues to be a growing threat for businesses around the world. SecurityIQ’s phishing simulator, PhishSim, allows you to provide phishing training to your workforce using timely, realistic phishing templates. Our AwareEd program goes a step further to deliver several modules on data protection for additional learning and reinforcement.
- Equifax Announces Cybersecurity Incident Involving Consumer Information, Equifax
- Equifax Inc., Baird Equity Research
- The hackers who broke into Equifax exploited a flaw in open-source server software, Quartz
- Lessons from the Equifax Breach, Carbon Black