New Revelations and Website Weirdness Push Equifax from Bad to Worse
Driver’s license data on millions may have been stolen, while many more Brits were affected.
The Equifax breach went from bad to worse to terrible this week, as information surfaced suggesting that hackers obtained data from millions of US driver’s licenses and that millions more UK residents were affected than initially estimated.
The Wall Street Journal reported this week that the same hackers who stole Social Security Numbers and other personal information on 145 million people also made off with driver’s license data for around 10.9 million Americans in the breach.
In addition, a file containing information on 15 million UK consumers was also stolen. A report by the BBC earlier this week had expanded the number of affected UK residents from around 400,000 to 694,000.
Just when it couldn’t get worse, part of Equifax’s web site may have been compromised by hackers and used to redirect visitors to download malicious software on their computer, Ars Technica has reported.
As bad as the news has been for the credit rating firm, it is unclear what the consequences will be or whether the latest revelations will fundamentally change the rules of the game for data brokers, credit agencies and the many, many other firms that trade in user information.
Revelations of large leaks of data are a daily occurrence, whether from vulnerable web applications, network compromises or unprotected cloud-based assets.
Equifax was almost certainly not the only company vulnerable to the Apache Struts vulnerability that ultimately felled the firm. The Open Web Application Security Project (OWASP) said this week that it would postpone publication of its Top 10 list of web application vulnerabilities in light of the “unprecedented amounts of data it’s received.”
“We have data on 114,000 apps at the moment, but we got a lot of late submissions,” lead author Andrew van der Stock told the website CyberScoop. “We needed more time to analyze all this new data.”
Among the likely additions to the oft-cited list, based on feedback from the community, will be failures to protect personally identifiable information and so-called deserialization flaws like the Apache Struts vulnerability exploited in the Equifax attack.
That may do more to force the lessons of Equifax down to the broader community, although experts note that even the top ranked flaws on the OWASP Top 10, like SQL injections, continue to bedevil firms with large deployments of web-based applications and scarce security talent.
Still, there’s reason for some optimism. In a conversation with Josh Corman of the firm PTC last week, he told me the Equifax incident weighs heavily on the minds of lawmakers who are trying to craft new legislation to help set security standards for the Internet of Things. Corman said that Equifax came up three or four times “with some venom” during a hearing on the security of IoT.
“Right now politically, I pity the company that gets hit hard by an unmitigated and known vulnerability in Struts right now,” he said.
The result may be rules from Capitol Hill that tighten disclosure guidelines and close the loop between discovery, disclosure and remediation of known software security holes, he said.
Such a move won’t end big breaches like Equifax, but it may make them a lot less common. Cross your fingers!
Photo Copyright: dennizn / 123RF Stock Photo