[BreachExchange] Equifax Confirms 'Probable' Breached Data Was Indeed Stolen

Audrey McNeil audrey at riskbasedsecurity.com
Mon Feb 12 19:01:48 EST 2018


Equifax says that its digital forensic investigators have found that while
its tally of 145.5 million U.S. breach victims hasn't changed, more of them
had their email addresses, tax identification numbers and driver's license
information exfiltrated.

A document submitted to the U.S. Senate Banking Committee last week by
Atlanta-based Equifax describes the additional types of information that
went missing, the Wall Street Journal first reported.

"On Sept. 7, Equifax announced that the information accessed in the
cybersecurity incident primarily included names, Social Security numbers,
birthdates, addresses, drivers' license numbers and in in some instances,
credit card numbers and certain dispute documents with personal identifying
information," Meredith Griffanti, an Equifax spokeswoman, tells Information
Security Media Group.

"Acting with full transparency, we also provided the Senate Banking
Committee with an additional list of potential but not primary data points
that may have been accessed that we categorized and analyzed in the
forensic investigation," Griffanti adds. "We sent direct mail notices to
those consumers whose credit card numbers or dispute documents with PII
were impacted. The approximate number of 145.5 million impacted U.S.
consumers has not changed."

Griffanti says the full details of what was stolen for every consumer are
provided to any victims who use its breach notification site.

Notification History

Equifax's initial security alert, issued on Sept. 7, 2017, warned that it
had suffered a data breach that resulted in personally identifiable
information on 143 million U.S. consumers being exposed, as well as
information on U.K. and Canadian residents.

Equifax later revised those figures, saying personal data for 145.5 million
U.S. individuals was exposed, including payment card numbers for 209,000
U.S. consumers as well as documents related to credit disputes for 182,000
U.S. consumers. The credit bureau has also said that 15.2 million records
pertaining to U.K. residents were exposed, putting 860,000 British
consumers at risk, and said that 8,000 Canadian residents' personal details
were also exposed (see Equifax Breach Victims: UK Count Goes Up).

The breach, which began on March 10, 2017, led to the ousting of the
company's CIO, CSO as well as CEO Richard Smith, who blamed "human error"
for the company's failure to patch the Apache Struts web application that
hackers exploited (see Equifax Ex-CEO Blames One Employee For Patch

The U.S. Federal Trade Commission and the Department of Justice, state of
New York, and regulators in Canada and the United Kingdom are investigating
the Equifax breach. The breach has also sparked numerous class action

To better defend against breaches, Paulino Barros, Equifax's interim CEO,
says the company has quadrupled its cybersecurity spending.

But privacy experts warn that the damage caused by the massive exposure of
personally identifiable information may never be undone. The Equifax breach
was one of the worst in history and has left more than half of all U.S.
adults at risk of identity theft for the rest of their lives (see US Data
Breaches Hit All-Time High).

Countdown to GDPR

Equifax's disclosure last week that some potentially compromised data was,
indeed, compromised sparked more criticism from information security

"That's the sort of honesty we have come to expect from Equifax," says Ian
Thornton-Trump, the cyber vulnerability and threat hunting lead at
London-based betting and gambling company Ladbrokes Coral Group. "Why could
this not have happened on 26 May 2018, so the GDPR - aka Death Star - would
be fully operational to deal a devastating fine for Equifax's behavior?"

Thornton-Trump says that when the EU in May begins enforcing the General
Data Protection Regulation, which applies to any business that handle
Europeans' personal data, many businesses are going to face some tough
questions. "The two questions Equifax raises especially under GDPR are:
One, who is responsible for PII data security after it is collected and
sent to multiple processors? And two, is specific consent required for each
and every step of that process when it involves third parties?" he tells
Information Security Media Group.

Self-Administered Breach Notifications

Equifax has also been criticized by many consumer and privacy rights groups
for requiring many potential U.S. victims - who may have no idea that their
personal information was being collected and sold by Equifax - to have to
go to a data breach notification website set up by Equifax to see if they
were breach victims.

Equifax's Griffanti tells ISMG that the company complied with all states'
data breach notification laws (see Senators Again Propose National Breach
Notification Law). She adds that consumers will have received mailed
notifications if certain information, such as payment card numbers, was

Equifax says anyone with a tax ID number can input that - instead of a
Social Security number - into Equifax's breach notification website to see
if they were affected.

The Internal Revenue Service says that a tax identification number is "only
available for certain nonresident and resident aliens, their spouses and
dependents who cannot get a Social Security number."

Equifax told the Wall Street Journal that the "additional driver's license
information accessed other than the driver's license number was extremely
minimal" and that "anyone with a potentially affected driver's license
number" can also look up their status on Equifax's breach notification site.

Warren's Five-Month Investigation

Equifax's latest report to the Senate committee came just days after Sen.
Elizabeth Warren, D-Mass., issued a report into her office's own, ongoing
Equifax breach investigation.

"In October, when I asked the CEO about the precise extent of the breach,
he couldn't give me a straight answer. So for five months, I investigated
it myself," Warren tweeted on Saturday.

On Wednesday, Warren released the results of that investigation,
criticizing Equifax on numerous fronts, including telling consumers their
data had been "accessed" when Warren says Equifax's former CEO, Richard
Smith, testified to Congress that it had, in fact, been exfiltrated,
meaning that it was stolen and that third parties will have access to all
of that personally identifiable information in perpetuity. Warren also says
some U.S. passport numbers were compromised in the breach. Equifax,
however, contends that they were not.

On Friday, in light of Equifax's most recent breach update, Warren - who's
also a member of the Senate banking committee - wrote to Equifax demanding
a complete accounting of its data breach and response.

"While Equifax confirmed the release of this additional data this morning,
the company continues to dissemble and downplay the significance, refusing
to provide any information on the number of taxpayer identification numbers
or email addresses that were hacked, and claiming that email addresses
'aren't considered sensitive personal information,'" she wrote.

Bill Would Fine Breaches of PII

Last month, Warren and Sen. Mark Warner, D-Va., introduced draft
legislation dubbed the Data Breach Prevention and Compensation Act that is
designed "to hold large credit reporting agencies (CRAs) - including
Equifax - accountable for data breaches involving consumer data." The bill
would give the Federal Trade Commission more authority to monitor CRAs'
information security practices and incentivize them based on results. To do
that, it would fine CRAs $100 for any consumer whose PII was compromised,
plus $50 for each additional violation.

"For years, Equifax and other big credit reporting agencies have been able
to get away with profiting off using people's private info and doing so
without their explicit permission," Warren tells Vox, a news website. "We
need real consequences for when they screw up."

Warren tells Vox that Equifax shouldn't be allowed "to wiggle off the hook
for having put more than half of all adult American at risk for fraud for
years to come because of the data that were stolen."

Under her draft legislation, Warren last week said Equifax would have faced
a $1.5 billion penalty, Warren writes in a blog post.

Based on the expanded scope of the breach revealed in recent days, however,
the potential penalty would have been even higher.

Senators Demand Equifax Probe Update

On Wednesday, Reuters reported that Mick Mulvaney, who became head of the
Consumer Financial Protection Bureau last November, has shelved the CFPB
probe into Equifax (see Cynic's Guide to the Equifax Breach: Nothing Will

Last month, Mulvaney requested that the CFPB be given $0 in funding, saying
that the agency would draw down its reserves. But Rep. Carolyn Maloney,
D-N.Y., who's a senior member of the House Financial Services Committee,
accused Mulvaney of attempting to "defund and defang" the CFPB.

Citing the Reuters report, a group of more than 30 Democratic senators, led
by Sen. Brian Schatz of Hawaii, on Thursday wrote to the CFPB, demanding an
update on its Equifax investigation by Feb. 19 and asking directly if the
probe has been frozen.

"The CFPB has a statutory mandate to participate in this process by
conducting an investigation," the senators wrote. "If that investigation
exposes wrongdoing or consumer harm, the CFPB has the authority, and indeed
a duty, to bring appropriate enforcement actions."

The CFPB didn't immediately respond to a request for comment on the letter.

But last week, Mulvaney's senior adviser, John Czwartacki, issued a vague
statement in response to the Reuters report.

"Acting Director Mulvaney takes data security issues very seriously,"
Czwartacki said. "Under his direction, the CFPB is working with our
partners across government on Equifax's data breach and response. We are
committed to enforcing the law. As policy, we do not confirm or deny
enforcement or supervisory matters."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180212/ac403c0e/attachment.html>

More information about the BreachExchange mailing list