Get Our NewsletterWIRED’s biggest t-shirt software developer delivered to your inbox. Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March.
As the security community processes the news and scrutinizes Equifax’s cybersecurity posture, numerous doubts have surfaced about the organization’s competence as a data steward. The company took six weeks to notify the public after finding out about the breach. In this case, Equifax had ample opportunity to update. This vulnerability was disclosed back in March.
Did not find what they wanted? Try here
There were clear and simple instructions of how to remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly,” says Bas van Schaik, a product manager and researcher at Semmle, an analytics security firm. The fact that Equifax was subsequently attacked in May means that Equifax did not follow that advice. Had they done so this breach would not have occurred. Penetration testers and other security researchers say that it would have been simple for an attacker to exploit the flaw and get into the system. After exploiting the vulnerability to gain a foothold, the attackers may have found scores of unprotected data immediately or may have worked over time—between mid-May and the end of July—to gain more and more access to Equifax’s systems.
Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” the company said in a statement Wednesday. We continue to work with law enforcement as part of our criminal investigation. Lawmakers are planning two hearings to scrutinize the situation, though, and have requested detailed information about the breach from Equifax. Dozens of people whose personal data was exposed have already filed lawsuits against the company. Peter Kaplan, the acting director of public affairs at the Federal Trade Commission, told WIRED in a statement that “the FTC typically does not comment on ongoing investigations. Equifax will suffer scrutiny and losses because of the breach, but the real victims are the individuals whose data was potentially compromised. And Equifax has particular responsibility to protect its consumer data, since much of it doesn’t even come from customers who directly choose to do business with the firm, but surfaces instead from credit check requests for anyone living and working in the US.
It’s time to start using an encrypted messaging app. Using end-to-end encryption means that no one can see what you’re sharing back and forth. China’s Five Steps for Recruiting Spies in the USAuthor: Garrett M. It Started as an Online Gaming Prank. The Feds Just Hit a Notorious Swatter With 46 New Charges.