Credit reporting agency Equifax said Thursday a web application flaw exposed 143 million customer records to hackers, a startling breach from a company that ironically offers identity theft protection services.
The information exposed includes names, Social Security numbers, birth dates, addresses and in some cases, driver's license numbers, according to a news release. Although most of those affected are U.S. consumers, Equifax says some "limited personal" information for U.K. and Canadian residents was affected.
Equifax also says the breach exposed credit card numbers for 209,000 U.S. consumers. The hackers also accessed what Equifax described as "dispute documents" containing personal information for 182,000 U.S. consumers.
While not the largest breach on record, it's certainly one of most sensitive. Equifax is one of the largest aggregators of financial data related to U.S. consumers, and its records are used by a variety of other businesses to gauge a person's creditworthiness.
"On a scale of one to 10 in terms of risk to consumers, this is a 10," says Avivah Litan, a vice president with the analyst Gartner. "Equifax holds consumers' most personally sensitive financial information."
The breach was discovered on July 29. Equifax says the cybercriminals "exploited a U.S. website application vulnerability to gain access to certain files." The exposure period ran from mid-May through July.
Equifax didn't identify what kind of web application was illegally accessed. But it said that its consumer and commercial credit reporting databases did not show evidence of unauthorized activity.
Still, it's a worst-case scenario for consumers. The type of information leaked is a perfect package for a fraudster looking to impersonate someone else.
In the news release, Equifax Chairman and CEO Richard F. Smith says, "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do."
"I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations."
Although major data breaches have become nearly routine, Equifax's lapse is "especially alarming and serious," says Atiq Raza, CEO of the web application security company Virsec. Of particular concern is the static nature of data, such as birth dates.
"Almost all the data that credit reporting companies like Equifax hold is sensitive, and much of it is used to establish identity - birth dates, addresses, drivers licenses, and other data types are routinely used to verify identity," Raza says. "It's one thing to ask a consumer to change a password, but how do you change your birth date?"
Questionable Notification Process
Equifax says it will only send notifications by direct mail to the 209,000 people whose payment card information was leaked and the 182,000 consumers whose dispute documents were exposed.
For everyone else, Equifax has set up a web-based tool for people to check if their data is in the breach.
That is likely to raise eyebrows among security experts, particularly after Equifax attributed the breach to a web application security flaw. The tool asks consumers for their last name and the last six digits of their Social Security number.
Social Security numbers are widely available on underground cybercriminal markets, so it's not difficult for fraudsters to procure large numbers. That makes Social Security numbers a very poor way to authenticate a consumer.
Virsec's cofounder and CTO, Satya Gupta, says Equifax's notification method is "very unusual."
"This reinforces the conundrum of these breaches - with more information exposed, how do you now prove a person's identity?" he says.
Equifax says that it is offering free identity theft protection and credit file monitoring for all U.S. consumers, even for those not affected by the breach.
After a last name and the last six digits of a Social Security number is entered into the tool, it returns whether the person is in the breach. If a person isn't in the breach, it offers up a date when someone should come back to Equifax's website to enroll in the service, called TrustedID Premier.
Enrollment is only free for one year, after which consumers would have to pay a fee. Troy Hunt, an Australian data breach expert, says that using a data breach incident as a marketing funnel seems to be "very poor judgement."
"It just feels like they [Equifax] has misread the market," Hunt says. "They've misread that there's going to be resentment over the fact they've lost the data in the first place.
Web App Risks
Flaws in web applications are one of the most common vectors for hackers to access data. Because web applications by their nature face the internet, it's crucial that companies code them correctly to prevent information those applications collect from leaking.
Most web applications have back-end databases that are supposed to be configured to not respond to potentially malicious input. Hackers will often try what are known as so-called injection attacks, where certain commands are entered into web-based forms to see if a back-end database will divulge information.
According to the Open Web Application Security Project, a community dedicated to web application security, injection attacks are rated as the top risk to applications for this year.