Concerns Pile Up With Equifax Data Breach, CU Officials Not Happy
Updated: 1:15 PM ET
Credit rating firm Equifax revealed a data breach exploited a website weakness to access the personal information, including credit card and social security numbers, of as many as 143 million Americans.
The Atlanta-based firm said it discovered that hackers accessed certain files from mid-May through July on July 29 but waited until Sept. 7 after the stock market closed to warn consumers. The data included names, social security numbers, birth dates, home addresses, and in some cases, driving license information.
Equifax also disclosed 209,000 credit card numbers, and other personally identifiable information on 182,000 consumers, might now be available to hackers.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Richard Smith, Equifax chief executive said. The statement also confirmed the breach also affected some British and Canadian residents.
NAFCU President and CEO Dan Berger in a letter urged congressional leaders to support national data security standards for retailers and others who collect and store consumers’ personal and financial information following news of the Equifax data breach.
"Data breaches have become a constant concern of the American people. Major data breaches now occur with an unacceptable level of regularity. A recent Gallup poll found that 69 percent of U.S. adults are frequently or occasionally concerned about having their credit card information stolen by hackers," Berger said. “These staggering survey results speak for themselves and should demonstrate the need for greater national attention to this issue. The massive breach at Equifax, and the report that they had known about it for weeks without notifying consumers, is yet another demonstration of the need for a legislative solution."
Berger continued, "While financial institutions, including credit unions, have been subject to federal standards on data security since the passage of the Gramm-Leach-Bliley Act (GLBA), retailers and many other entities that handle sensitive personal financial data are not subject to these same standards. Consequently, they have become the vulnerable targets of choice for cybercriminals."
"Credit unions suffer steep losses in re-establishing member safety after a data breach occurs," he added. "They are often forced to absorb fraud-related losses, many of which stem from a negligent entity’s failure to protect sensitive financial and personal information in their systems. As not-for-profit cooperatives, credit union members are the ones that are ultimately impacted by these costs."
“Equifax is a company that trades in data security, but has failed miserably in subjecting nearly half of the American population to identity theft. Waiting 41 days to announce the data breach and evidence that company executives may have used this time to sell their stock, in advance of the bad news, is criminal in nature,” Paul Stull, CEO of the Credit Union Association of New Mexico, said. “Worse than that, this may have happened because Congress has failed to pass any meaningful national penalties or standards to keep our data safe.”
Stull added that's why it was a priority to pass data breach legislation in New Mexico. “Our New Mexico Governor and our Legislature know what a dangerous situation exists. Congress has failed the American public and, today, 143 million people are going to pay the price because we lack national standards. Equifax is not a victim, they are a bad actor involved in a crime that seemingly has no punishment. The American public is the victim here and, until we have standards and meaningful legislation, we are completely unprotected.”
Morey Haber, VP of technology at Phoenix-based security company BeyondTrust also asked the following blunt questions in a blog post:
- Was the web application known, or was it a zero-day exploit? If it was known, how old was it and why wasn’t it remediated? “If it was a zero-day, please educate the security community so we can protect our own websites!”
- PCI DSS requires file integrity monitoring. Were the sensitive files monitored? Is that how Equifax discovered the breach? “This implies monitoring only and no prevention.”
- How did Equifax determine the breach and were the systems in question within PCI scope? Haber said, he certainly believes so, since obtained credit card information appeared from initial reports to be complete primary account numbers.
“These facts, and many more, are critical to understand what happened,” Haber said. “I hope they come to light soon, and as with any larger breach involving payment and card data, it remains to be seen what monetary and punitive damages Equifax will face from the PCI council.”
The Payment Card Industry Data Security Standard guarantees that all companies accepting or processing retailer transactions or transmitting credit card information maintain a secure environment.
“Cybercriminals would like to have enough information about you that they can in effect become you, and Equifax possesses that quantity and quality of data.” Kenneth Geers, senior research scientist at Clifton, N.J. based Comodo and NATO Cyber Centre Ambassador, stated. He pointed out the sheer size of this breach may have frightened some Equifax officials into selling a portion of their company shares.
“It is ideal, if ironic, for cybercriminals to compromise the very companies that internet users rely on to safeguard their identities and finances,” Geers noted. “Even if you are not a customer, Equifax likely has a lot of data about you, and you should take proactive steps in response to this hack.” On the technical side, Geer suggested it is critical to learn how and what happed so that other companies can take defensive action.
Fleming Shi, SVP Technology, Campbell, Calif.-based cyberfraud defense firm Barracuda Networks offered some additional insight, “This breach is a like a Category 5 hurricane in the cyberworld, affecting at least one-third of the U.S. population. The lasting impact from the breach will go on for years.”
Shi explained although web application attacks are common, there are two variations that may be relevant to this incident: In one instance, a company hosts software vulnerable to content injection or privilege escalation attacks. This vulnerability is easily exploitable, once discovered, as not every site is setup for auto updates. In the second instance, web applications or website code is independently vulnerable and subject to various well application-level attacks. In such cases, if software exhibits vulnerability to common attacks like SQL injection, Cross-site scripting, buffer, or overflow, this puts an organization at serious risk.
“In both cases, the attacker can gain unauthorized access to the backend of an application or website, allowing them to do anything from replacing the content on a site to embedding code, all with the hopes of siphoning highly valuable data,” Shi noted. “Companies should gain a full understanding of what hosting software and other third-party software component may be running on its web applications and website. They should also keep up with version updates, especially when there are security-related fixes.”