Executive Briefings

A Brief History of Equifax Security Fails

The leak of data on as many as 143 million Americans announced by Equifax this month was not the first rodeo for the credit monitoring and (irony alert) breach recovery firm. It's had problems protecting its customers' information dating back years.

In one case, it had to change its ways following a class action lawsuit over an alleged lapse in security. That suit related to a May 2016 incident in which Equifax's W-2 Express website had suffered an attack that resulted in the leak of 430,000 names, addresses, social security numbers and other personal information of retail firm Kroger. Lawyers for the class action plaintiffs argued Equifax had "wilfully ignored known weaknesses in its data security, including prior hacks into its information systems."

Equifax sought to have the case thrown out with prejudice (i.e. the matter would be closed permanently), arguing the plaintiffs were basing their demand for compensation, as much as $5m, on "speculative and hypothetical injuries." In the end, the case was dropped without prejudice (i.e. the claims could be brought again), with the stipulation that Equifax fix a glaring security issue. The flaw was the result of an Equifax decision to have client employees access their data with the use of default PIN numbers. The PINs, according to the plaintiff complaint, consisted of the last four digits of an individual's social security number and their four-digit year of birth. A determined hacker could gather such information by scouring the web, or duping a target into coughing up the information. In closing the case, Equifax agreed to stop using those default PINs.

But problems with PINs appeared to have continued after that settlement in September last year. As independent cybersecurity reporter Brian Krebs reported in May 2017 an Equifax note to customers that hackers had used personal information to guess personal questions of employees in order to reset the 4-digit PIN given and stolen tax data. In its disclosure, Equifax said the unauthorized access to the information occurred between April 17 2016 and March 29 the following year.

In January 2017, Equifax was forced to confess to a data leak in which credit information of a "small number" of customers at partner LifeLock had been exposed to another user of the latter's online portal.

Read Full Article

In one case, it had to change its ways following a class action lawsuit over an alleged lapse in security. That suit related to a May 2016 incident in which Equifax's W-2 Express website had suffered an attack that resulted in the leak of 430,000 names, addresses, social security numbers and other personal information of retail firm Kroger. Lawyers for the class action plaintiffs argued Equifax had "wilfully ignored known weaknesses in its data security, including prior hacks into its information systems."

Equifax sought to have the case thrown out with prejudice (i.e. the matter would be closed permanently), arguing the plaintiffs were basing their demand for compensation, as much as $5m, on "speculative and hypothetical injuries." In the end, the case was dropped without prejudice (i.e. the claims could be brought again), with the stipulation that Equifax fix a glaring security issue. The flaw was the result of an Equifax decision to have client employees access their data with the use of default PIN numbers. The PINs, according to the plaintiff complaint, consisted of the last four digits of an individual's social security number and their four-digit year of birth. A determined hacker could gather such information by scouring the web, or duping a target into coughing up the information. In closing the case, Equifax agreed to stop using those default PINs.

But problems with PINs appeared to have continued after that settlement in September last year. As independent cybersecurity reporter Brian Krebs reported in May 2017 an Equifax note to customers that hackers had used personal information to guess personal questions of employees in order to reset the 4-digit PIN given and stolen tax data. In its disclosure, Equifax said the unauthorized access to the information occurred between April 17 2016 and March 29 the following year.

In January 2017, Equifax was forced to confess to a data leak in which credit information of a "small number" of customers at partner LifeLock had been exposed to another user of the latter's online portal.

Read Full Article