Equifax: Web App Breach Exposed Data of 143 Million Consumers

Bank Info Security, September 7, 2017, comments from Atiq Raza and Satya Gupta;

Data Includes Drivers Licenses, Social Security Numbers, Birth Dates and Addresses 

A few statistics about the 143 million people affected by the Equifax breach announced yesterday make this number all the more alarming, possibly even for you reading this article.

According to latest census numbers, the US has 117 million households and a population of 324 million. Meaning, nearly half of all adult Americans and possibly someone in every adult household could be affected by this breach.

Critical personal details stolen in this hack are not changeable like passwords and they are details nearly every company asks you to recite when trying to identify that you are really you. Except that now, that assurance is a lot less reliable than it was 6 weeks ago.

Atiq Raza, CEO of web application security company Virsec, San Jose, Calif., describes it well for Bank Info Security:

Equifax's lapse is "especially alarming and serious. Of particular concern is the static nature of data, such as birth dates. Almost all the data that credit reporting companies like Equifax hold is sensitive, and much of it is used to establish identity - birth dates, addresses, drivers licenses, and other data types are routinely used to verify identity," Raza says. "It's one thing to ask a consumer to change a password, but how do you change your birth date?"

Indeed, Equifax seems to be struggling with this exact issue. In exchange for offering a free year of monitoring to its consumers (already criticized as not nearly enough), Equifax is requiring consumers to provide not the usual last 4 digits of their social security numbers, but instead, to provide 6 of the 9 digits. This is causing quite a backlash from consumers who are already stressed by the worry of their private information being out in the wild.

Virsec's cofounder and CTO, Satya Gupta, says Equifax's notification method is "very unusual."

"This reinforces the conundrum of these breaches - with more information exposed, how do you now prove a person's identity?" he says.

The apology offered by Equifax CEO is likely cold comfort in the wake of very real concerns that will span years into the future because like birth dates, social security numbers don’t change either so they can be used by hackers from now until the cows come home….and they’ve left the continent.

So…what could have happened? Web applications - such as Equifax was using – and ironically is using again when requesting consumers to enter their 6 social security digits - present doors of vulnerabilities for hackers by their very nature. Web applications are connected both to the Web and often to backend databases which house highly sensitive and confidential information – which, without proper security, are every hacker’s treasure chest prime for the taking.

Read Full Article