Equifax the US credit ratings firm victim to an unlawful breach of security this week. It has been told to inform British residents “at the earliest opportunity” if their personal information has been put at risk, the Information Commissioner said on Friday.
They admitted UK consumers were affected by the data breach but did not say how many, however it is understood to hold the data of 44 million British consumers.
Equifax is is used by BT, Capital One and British Gas among others, was hacked this summer, the company revealed yesterday.
The UK data watchdog, the Information Commissioner’s Office (ICO), said it is investigating the incident and has urged Equifax to contact affected customers as soon as possible.
The ICO Deputy Commissioner James Dipple-Johnstone said ” Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern. We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised. We will be advising Equifax to alert affected UK customers at the earliest opportunity. In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.”
The Apache Struts Project Management Committee (PMC) also issuaed a statement regarding the data breach.
We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time it is not clear which Struts vulnerability would have been utilized, if any. In an online article published on Quartz.com , the assumption was made that the breach could be related to CVE-2017-9805, which was publicly announced on 2017-09-04  along with new Struts Framework software releases to patch this and other vulnerabilities . However, the security breach was already detected in July , which means that the attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time –a so-called Zero-Day-Exploit. If the breach was caused by exploiting CVE-2017-9805, it would have been a Zero-Day-Exploit by that time. The article also states that the CVE-2017-9805 vulnerability exists for nine years now.
We as the Apache Struts PMC want to make clear that the development team puts enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention. In alignment with the Apache security policies, once we get notified of a possible security issue, we privately work with the reporting entity to reproduce and fix the problem and roll out a new release hardened against the found vulnerability. We then publicly announce the problem description and how to fix it. Even if exploit code is known to us, we try to hold back this information for several weeks to give Struts Framework users as much time as possible to patch their software products before exploits will pop up in the wild. However, since vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.
The full Apache statement can be read here
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.
The company has set up a website, www.equifaxsecurity2017.com,
for people to check if their data was leaked and to what extent. As is often the case after leaks like this, the company is offering a free credit file monitoring and identity theft protection, which you may want to take advantage of if your information was involved.