Equifax has been making headlines the last few weeks for a large security breach involving consumers in the U.S., U.K., and Canada. Attackers gathered the personal information of up to 143 million U.S. consumers, including credit card numbers for about 209,000 people. Other information accessed during the breach includes names, Social Security numbers, birth dates, addresses, and driver’s license numbers, all of which are valuable to identity thieves. According to Equifax, the attackers “exploited a U.S. website application vulnerability to gain access to certain files.”
The attack happened between May and July, but was not discovered until 7/29 and not disclosed to the public until 9/7. By the time Equifax announced that there had been a breach, criminals had already had access to sensitive information for over a month. The company has received criticism for not disclosing the breach sooner. “I might’ve wanted to know over the last six weeks that my Social Security Number might’ve been kicked around on some dark website,” said Craig Timberg of the Washington Post in an interview with NPR.
Even worse is the fact that there is no reliable way to check if you have been affected other than waiting for them to send a notice in the mail. They have a website that is designed to tell people if they have been affected, but according to TechCrunch, the website is not reporting correctly at the moment. When entering fake names and Social Security numbers, it gave them varying answers as to whether or not they were affected. “Others have tweeted they received different answers after entering the same information,” they wrote.
CNN describes this breach as “among the worst ever because of the amount of people affected and the sensitive type of information exposed.” What sets this attack apart from other attacks in recent years is the fact that Equifax is not a service people sign up for. The company gathers information about consumers from credit card companies, banks, retailers, and lenders.
Many people affected may not be aware that they should be concerned about this breach. In this case, it is not a matter of only giving your information to organizations you can trust. “You almost have to expect that your information is out there whether you know it or not,” Brian Fox, chief technology officer at Sonatype, told SD Times.
Matt Howard, executive vice president at Sonatype, said that about 90% of data breaches involve open source components with known fixes. A bill of materials lists all of the components in a piece of software, making it easy to catch such vulnerabilities. Many companies are simply unaware of potential vulnerabilities in their systems because they do not have a detailed bill of materials to refer to. By being vigilant about components of their software that may be vulnerable to attack, many data breaches can be avoided.
The remaining 10% of data breaches are the result of zero-day exploits, which are almost impossible to protect against. Given this, it is unlikely that we will ever live in a world completely free of security breaches. Vulnerabilities will always be there, but Fox advises that companies set themselves up to respond and remediate accordingly. By being prepared for the worst-case scenario, damages can be mitigated.