Equifax facing lawsuits, govt scrutiny over breach


By Dylan Bushell-Embling
Thursday, 14 September, 2017


Equifax facing lawsuits, govt scrutiny over breach

The massive Equifax data breach affecting around half the population of the US has triggered a flurry of lawsuits from citizens and one US state.

Since the credit reporting company disclosed the breach last week, more than 30 lawsuits seeking class-action status have been filed, according to reports. One such lawsuit is seeking up to US$70 billion ($87.5 billion) in damages.

Equifax announced on Thursday that the personal records — including social security numbers and dates of birth — of 143 million US citizens may have been exposed to hackers. Trend Micro has estimated that the stolen data could be worth US$27 million or more on digital underground markets.

As well as the multiple lawsuits, attorneys general in at least five US states have announced they are investigating the breach, and the state of Massachusetts has already signalled plans to take the company to court.

US senators have also already called attention to the fact that three Equifax executives had sold stock in the company after the breach had been discovered but before it was disclosed to the public.

Multiple US congressional committees also plan to hold hearings into the breach, with Equifax and other credit reporting agencies likely to face tough questions about how such a major breach could have occurred and what they are doing to prevent a repeat performance.

While Equifax has not yet disclosed the cause of the breach, financial services company Baird has released a report indicating that attackers may have exploited a flaw in the Apache Struts 2 platform, a widely used platform that has repeatedly had to be patched to fix new exploits.

Unpatched systems running the platform could potentially be vulnerable to similar attacks.

While the US was the hardest hit by the breach, there are also potential victims in the UK and Canada, according to the Equifax disclosure. Now Argentina could be added to that list, with cybersecurity expert Brian Krebbs reporting that the company's Argentinian subsidiary was engaging in shockingly lax security practices.

An online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers was protected with one of the most easy-to-guess password and username combinations possible — admin/admin. This portal has now been taken down.

Once inside, attackers were potentially able to access the records of all active and inactive Equifax employees in Argentina, access passwords stored in plain text in the site's raw HTML code and even create, modify or remove existing user accounts.

The site also provided records to 715 pages worth of complaints and disputes filed by Argentinians, including their names and national identity numbers.

Follow us and share on Twitter and Facebook

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd