News

Equifax Breach Exposes Personal Information of 44% of U.S. Consumers

Megan Sawle
September 13, 2017 by
Megan Sawle

Last week, Equifax announced a data breach impacting 143 million U.S. consumers. According to the company’s release, information accessed includes names, Social Security numbers, birth dates, addresses and some driver’s license numbers. Credit card numbers for over 200,000 Americans, as well as “dispute documents” with personal identifying information for 182,000 additional U.S. consumers, were also accessed.

See how it happened: Inside Equifax's massive breach: Demo of the exploit

This marks the second Equifax hack of 2017, following an incident earlier this year when the company compromised W-2 tax data from Equifax subsidiary, TALX.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Hackers Exploited Application Vulnerabilities to Gain Access

Equifax reports hackers gained access to data files by exploiting “a U.S. website application vulnerability.” Baird Equity Research specifically points to a vulnerability in an open-source software package called Apache Struts.

The Apache Struts framework is used by at least 65% of Fortune 100 companies. The framework has known vulnerabilities, two of which were discovered in 2017. It is still unknown at this time what Struts vulnerability was targeted in the attacks.

A Delayed Response

Equifax has taken significant criticism for its response to the breach. Critics report the hack took too long to detect (2.5 months) and too long to report to those affected (over a month). Security experts suggest Equifax may have prevented the attack with better audits of its web application security.

New Equifax Phishing Template from SecurityIQ

In response to the breach, InfoSec Institute just released a new Equifax phishing template on its SecurityIQ platform. This new tool will prepare your workforce for phishing attacks trying to capitalize on the recent Equifax breach. The new template uses drive-by and data-entry attack methods to trick enrolled learners into entering credentials into a simulated Equifax consumer protection site.

Three Key Lessons from the Equifax Incident

Regardless of why or how the Equifax breach occurred, much can be learned from this unprecedented incident. Here are three key lessons from the Equifax incident:

  1. Information security demands a multilayered approach. Hackers have access to an incredible (and growing) resource bank to execute their attacks. It’s essential your information security strategy includes multiple layers for threat prevention and detection. InfoSec Institute has a variety of training programs available to ensure your security team is armed with the information they need to prevent — and detect — security threats.
  2. Information security is ever evolving. Security experts work hard to expose vulnerabilities in web applications to help organizations identify risks and apply critical security patches. However, hackers also have access to this information, so timely updates are essential. Staying involved in groups like OWASP can help you identify vulnerabilities in existing applications and apply secure coding practices to internally developed applications. InfoSec Institute’s OWASP modules for developers can also help your team stay current on the latest threats.
  3. Information security extends beyond the IT department. Although phishing was not likely used in the Equifax attack, it continues to be a growing threat for businesses around the world. SecurityIQ’s phishing simulator, PhishSim, allows you to provide phishing training to your workforce using timely, realistic phishing templates. Our AwareEd program goes a step further to deliver several modules on data protection for additional learning and reinforcement.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Sources:

Megan Sawle
Megan Sawle

Megan Sawle is a communications and research professional with 10 years of experience in cybersecurity, bioscience and higher education. Megan leads Infosec’s research strategy, leveraging study findings to mature its cybersecurity education offerings and build awareness of cybersecurity diversity and skill shortage challenges. Since joining the team, she’s directed research projects on a wide variety of cybersecurity topics ranging from dark web marketplaces and phishing kits to the Workforce Framework for Cybersecurity (NICE Framework) and the importance of soft skills in cybersecurity roles. Megan is a University of Wisconsin-Stout graduate, an avid equestrian and (very) amateur mycologist.