Equifax - UPDATE

Update: Equifax Data Breach

On Wednesday, Equifax updated its information webpage related to the data breach announced last week involving the compromise of sensitive personal information of 143 million consumers. According to Equifax, the Apache Struts 2 vulnerability disclosed on March 10, 2017, CVE-2017-5638, was exploited within a US-based web application and led to the data breach. It is unclear what other vulnerabilities and tactics were used to exploit Equifax's network and exfiltrate the large number of records involved. It also remains unclear whether this incident was carried out by a nation-state or a profit-motivated criminal actor. The company also addressed questions raised about the arbitration clause and class action waiver language that was in the terms of use for the TrustedID Premier credit file monitoring and identity theft protection products. The language was removed from the Terms of Use and will not apply to the free products offered in response to the data breach, including consumers who signed up before the language was removed. Additionally, Equifax indicated that it experienced technical difficulties and a one hour system outage on Wednesday due to the high volume of security freeze requests. In the wake of this and many other recent data breaches, the NJCCIC strongly encourages our members to place security freezes on their credit files in order mitigate the risk of identity theft and financial fraud. A security freeze, or credit freeze, does not affect one's credit score and does not prevent an individual from obtaining their annual credit report. A security freeze restricts access to your credit report, which makes it more difficult for identity thieves to open new accounts or obtain loans in your name. If applying for credit or a new job, you can temporarily lift the freeze with the credit reporting company that the creditor or business needs to contact. Consumers must contact and place security freezes with all three credit reporting companies. More information on credit freezes is provided by the FTC.

For more information on the risk associated with insecure web apps and mitigation recommendations, please review our Threat Analysis published on June 21, 2017 titled, "Web Apps: Vulnerable to Common Threats, Firewalls Recommended." Additionally, administrators of Apache Struts should review the Apache Security Bulletin published on September 7 regarding a new critical vulnerability, CVE-2017-9805, in Struts versions 2.5 to 2.5.12 and upgrade to 2.5.13.

Data BreachNJCCICEquifax