Yesterday, Equifax, one of the three largest consumer credit reporting and financial services providers in the United States, released a statement announcing a data breach that involves the personal information of an estimated 143 million US consumers. The company stated that it discovered the breach on July 29 and further forensic analysis revealed it resulted from the exploitation of a web application vulnerability that was used to gain unauthorized access to files containing sensitive consumer information. This access reportedly occurred from mid-May through July 2017. The information accessed includes names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers. Credit card numbers for 209,000 US consumers and dispute documents with personally identifying information for 182,000 US consumers, were also accessed. Rick Smith, the Chairman and CEO of Equifax, released a YouTube video and a FAQ sheet regarding the breach and is asking consumers to contact their call center at 866-447-7559, which the company set up to assist consumers who have additional questions. Equifax also launched the website www.equifaxsecurity2017.com, which outlines the details of the data breach and provides additional resources for consumers. Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents were impacted. Equifax is offering free credit monitoring and identity theft protection for one year through TrustedID Premier to those affected by the breach.
It is unclear who is responsible for this breach and whether this was profit-motivated theft by a non-state, criminal actor or espionage collection activities carried out by, or on behalf of, a hostile nation-state. However, an anonymous actor has created a website on the dark web, badtouchyonqysm3[.]onion, claiming responsibility for the breach and is currently demanding a ransom payment of 600 Bitcoins (approximately $2.8 million) from Equifax. According to this website, if the payment is not received by September 15, the actor will publicly release the stolen data. Additionally, an anonymous twitter user, 1x0123 @real_1x0123, posted a screenshot and is purporting to sell access to various Equifax data repositories via a web shell for 1 Bitcoin (approximately $4,451). Neither of these claims have been confirmed and should not be considered as legitimate unless proven otherwise.
The NJCCIC recommends all of our members assume their sensitive personal information was compromised in this breach or one of the many incidents that have occurred in recent years and take immediate action to protect themselves against identity theft. If you were affected by a recent data breach, we strongly urge you to enroll in the free credit monitoring service provided by the victim organization. While credit monitoring is helpful in detecting suspicious or malicious activity, consumers should also consider identity theft insurance, which covers losses incurred as a result of successful fraud. The NJCCIC also recommends our members consider placing a security freeze on their credit, closely monitor bank and credit card accounts using SMS or email alerting options, and report any fraudulent activity to the Federal Trade Commission and your local law enforcement agency as soon as possible. While it may be an inconvenience, a credit freeze will prevent unauthorized loans and lines of credit from being opened in your name and it can be lifted whenever legitimate credit inquiries are necessary.
Additionally, the NJCCIC encourages all organizations that use web applications to access and manage sensitive data review the NJCCIC threat analysis titled, "Web Apps: Vulnerable to Common Threats, Firewalls Recommended," consider deploying a web application firewall, and regularly perform security audits of all web applications.