CIS608 - Week2 - Data breach at Equifax - How did it happen
CIS608 - Week2 - Data breach at Equifax - How did it happen?
Data breaches are old and quite common in IT world. The Equifax data breach issue also quite familiar. This kind of issues happened in the past. The basic difference is, this time it happened on a much bigger scale and the data that leaked is personal and financial information.
Background of the Equifax data breach is -
Equifax is a credit reporting agency. It holds sensitive data of millions of users.
As part of their business, they do have an another portal, where consumers can raise their questions, disputes, and concerns about some items on the credit report published by Equifax. This portal runs on an open source software called Apache Struts.
Apache Struts, familiar tool and it's being used by many many other businesses and enterprises.
Equifax used this software to support its online dispute portal -- where Equifax consumers log their issues with their credit reports.
Two months before the incident Apache found a flaw IN their software and released a patch TO bridge the gaps.
But Equifax ignored this warning signal. Equifax couldn't find this flaw during their internal scans/audits.
Equifax had full two months of time to address the issue before hackers first gained access to their servers to its data.
The information that hackers obtained had consumer names, Social Security numbers, birth dates, addresses and along with driver's license numbers.
This data breach impacted 143 million US consumers, which is quite large in this nature.
Timeline:
Series of events from identification of issue till its disclosure to the public
Feb/14/2017
- Apache Foundation is communicated about Apache Struts vulnerability.
Mar/06/2017
- Apache released a security patch to address the issue.
Mar/07/2017
- VulnDB and Exploit Database make made announcement about the Apache Strut vulnerability.
May/14/2017
- The Equifax data breach occurs (per the company’s official statement).
May,July/2017
- Hackers attack Equifax servers, gained control on information of nearly 143 million consumers
July/29/2017
- Equifax detects the security breach.
July/30/2017
- Equifax patches the vulnerability.
Aug/1,2/2017
- Top Equifax executives sold their stakes, nearly $2 million worth of shares.
Aug/10/2017
- Equifax acquired a company called ID Watchdog.
Sep/07/2017
- Equifax announced about data breach to the public.
Started damage control to protect the interests of consumers
Jackie Wattles, Selena Larson (2017, Sep 16). How the Equifax data breach happened: What we know now. Retrieved from CNNTech: http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html
Data breaches are old and quite common in IT world. The Equifax data breach issue also quite familiar. This kind of issues happened in the past. The basic difference is, this time it happened on a much bigger scale and the data that leaked is personal and financial information.
Background of the Equifax data breach is -
Equifax is a credit reporting agency. It holds sensitive data of millions of users.
As part of their business, they do have an another portal, where consumers can raise their questions, disputes, and concerns about some items on the credit report published by Equifax. This portal runs on an open source software called Apache Struts.
Apache Struts, familiar tool and it's being used by many many other businesses and enterprises.
Equifax used this software to support its online dispute portal -- where Equifax consumers log their issues with their credit reports.
Two months before the incident Apache found a flaw IN their software and released a patch TO bridge the gaps.
But Equifax ignored this warning signal. Equifax couldn't find this flaw during their internal scans/audits.
Equifax had full two months of time to address the issue before hackers first gained access to their servers to its data.
The information that hackers obtained had consumer names, Social Security numbers, birth dates, addresses and along with driver's license numbers.
This data breach impacted 143 million US consumers, which is quite large in this nature.
Timeline:
Series of events from identification of issue till its disclosure to the public
Feb/14/2017
- Apache Foundation is communicated about Apache Struts vulnerability.
Mar/06/2017
- Apache released a security patch to address the issue.
Mar/07/2017
- VulnDB and Exploit Database make made announcement about the Apache Strut vulnerability.
May/14/2017
- The Equifax data breach occurs (per the company’s official statement).
May,July/2017
- Hackers attack Equifax servers, gained control on information of nearly 143 million consumers
July/29/2017
- Equifax detects the security breach.
July/30/2017
- Equifax patches the vulnerability.
Aug/1,2/2017
- Top Equifax executives sold their stakes, nearly $2 million worth of shares.
Aug/10/2017
- Equifax acquired a company called ID Watchdog.
Sep/07/2017
- Equifax announced about data breach to the public.
Started damage control to protect the interests of consumers
References:
Equifax 2017 Data Breach: A Meticulous Timeline. Retrieved from: https://csrps.com/meticulous-timeline-equifax-data-breach
Equifax 2017 Data Breach: A Meticulous Timeline. Retrieved from: https://csrps.com/meticulous-timeline-equifax-data-breach
Jackie Wattles, Selena Larson (2017, Sep 16). How the Equifax data breach happened: What we know now. Retrieved from CNNTech: http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html
Comments
Post a Comment