September 14, 2017

Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time — when hackers accessed the company’s systems in mid-May 2017.

equifax-hq

Both Visa and MasterCard frequently send alerts to card-issuing financial institutions with information about specific credit and debit cards that may have been compromised in a recent breach. But it is unusual for these alerts to state from which company the accounts were thought to have been pilfered.

In this case, however, Visa and MasterCard were unambiguous, referring to Equifax specifically as the source of an e-commerce card breach.

In a non-public alert sent this week to sources at multiple banks, Visa said the “window of exposure” for the cards stolen in the Equifax breach was between Nov. 10, 2016 and July 6, 2017. A similar alert from MasterCard included the same date range.

“The investigation is ongoing and this information may be amended as new details arise,” Visa said in its confidential alert, linking to the press release Equifax initially posted about the breach on Sept. 7, 2017.

The card giant said the data elements stolen included card account number, expiration date, and the cardholder’s name. Fraudsters can use this information to conduct e-commerce fraud at online merchants.

It would be tempting to conclude from these alerts that the card breach at Equifax dates back to November 2016, and that perhaps the intruders then managed to install software capable of capturing customer credit card data in real-time as it was entered on one of Equifax’s Web sites.

Indeed, that was my initial hunch in deciding to report out this story. But according to a statement from Equifax, the hacker(s) downloaded the data in one fell swoop in mid-May 2017.

“The attacker accessed a storage table that contained historical credit card transaction related information,” the company said. “The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.”

Equifax did not respond to questions about how it was storing credit card data, or why only card data collected from customers after November 2016 was stolen.

In its initial breach disclosure on Sept. 7, Equifax said it discovered the intrusion on July 29, 2017. The company said the hackers broke in through a vulnerability in the software that powers some of its Web-facing applications.

In an update to its breach disclosure published Wednesday evening, Equifax confirmed reports that the application flaw in question was a weakness disclosed in March 2017 in a popular open-source software package called Apache Struts (CVE-2017-5638)

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” the company wrote. “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

The Apache flaw was first spotted around March 7, 2017, when security firms began warning that attackers were actively exploiting a “zero-day” vulnerability in Apache Struts. Zero-days refer to software or hardware flaws that hackers find and figure out how to use for commercial or personal gain before the vendor even knows about the bugs.

By March 8, Apache had released new versions of the software to mitigate the vulnerability. But by that time exploit code that would allow anyone to take advantage of the flaw was already published online — making it a race between companies needing to patch their Web servers and hackers trying to exploit the hole before it was closed.

Screen shots apparently taken on March 10, 2017 and later posted to the vulnerability tracking site xss[dot]cx indicate that the Apache Struts vulnerability was present at the time on annualcreditreport.com — the only web site mandated by Congress where all Americans can go to obtain a free copy of their credit reports from each of the three major bureaus annually.

In another screen shot apparently made that same day and uploaded to xss[dot]cx, we can see evidence that the Apache Struts flaw also was present in Experian’s Web properties.

Equifax has said the unauthorized access occurred from mid-May through July 2017, suggesting either that the company’s Web applications were still unpatched in mid-May or that the attackers broke in earlier but did not immediately abuse their access.

It remains unclear when exactly Equifax managed to fully eliminate the Apache Struts flaw from their various Web server applications. But one thing we do know for sure: The hacker(s) got in before Equifax closed the hole, and their presence wasn’t discovered until July 29, 2017.

Update, Sept. 15, 12:31 p.m. ET: Visa has updated their advisory about these 200,000+ credit cards stolen in the Equifax breach. Visa now says it believes the records also included the cardholder’s Social Security number and address, suggesting that (ironically enough) the accounts were stolen from people who were signing up for credit monitoring services through Equifax.

Equifax also clarified the breach timeline to note that it patched the Apache Struts flaw in its Web applications only after taking the hacked system(s) offline on July 30, 2017. Which means Equifax left its systems unpatched for more than four months after a patch (and exploit code to attack the flaw) was publicly available.


196 thoughts on “Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop

  1. Gloria

    I would love to know why after I froze all 4 of my credit reports online, the very next day I started getting phishing emails. All very legit looking. If I didn’t know better I’d be screwed (again!). So how does that happen???

  2. Bob

    Gloria … it happens because these reporting agencies have few controls/laws to hamper their egregious sales use of your and my personal data. It’s the data wild west, sanctioned by the free enterprise system.

    The VERY OVERDUE solution lies in MUCH STRONGER REGULATIONS, and making them pay dearly for this negligent 3rd data breach.

    This current goofy setup where private for profit companies with little oversight, can become the sole warehouses for such a lethal amount of personal data, clearly spells out the much overdue need for FAR STRONGER LAWS and MUCH TOUGHER PENALTIES! In short, this is a prime argument for a BIG GOVERNMENT HAMMER , by the people and for the people!

    Also, for those uninformed and still supplicating on bended knee to Equifax, taking the paltry 1 year of monitoring and begging for a lifelock, the cynical 1 year free monitoring offer reportedly may leave you in the difficult position of not being able to sue Equifax if/when you wish to, or if you become the target of identity theft.

    As others have mentioned, this is the time to let your elected representative know just how pi$$ed you really are! (or should be).

    http://tinyurl.com/y8em7q9p

  3. tj webguru

    immediately offer 2 factor id verification for all credit card companies and credit reporting agencies

  4. Bob

    “A $500,000 lesson in how to fight identity theft:

    Even after her experience several years back, Ms. Fiddian-Green (a forensic accountant at Grant Thornton LLP) says she wouldn’t take Equifax up on its credit-monitoring service. “I refuse to pay to have them tell me they’re taking care of my data.”

    http://tinyurl.com/y7mwc4w2

  5. Gloria

    Now that the horses are out of the barn and there’s no going back, wouldn’t it at least make sense for there to be some kind of mandate issued by the government to force potential creditors to somehow verify ‘in person’ that a request for credit is legitimate? I’ve never applied for credit online so I’m not really sure how it works but the creditor should at least have to follow up with a phone call to an appropriate number to verify the identity of the person applying? There should be some other measures that could be put in place. Maybe I’m just not understanding the process but it seems to me security could be tightened up on the part of the creditors.

  6. Bob

    “Massachusetts First to Sue Equifax Over Massive Hack”
    http://tinyurl.com/y8g3ch3k

    Gloria – yes absolutely, credit reporting agencies MUST be FORCED to implement a verification procedure AT NO CHARGE and BY DEFAULT!

    They MUST be FORCED to do this! Contact your elected representative.

  7. JCitizen

    Let’s put them in a stockade! That hasn’t been done in probably 100 years, but I’d bet it was proven more effective than longer jail time! Plus the public used to get to spit on them and throw rotten tomatoes – HA!

  8. John Givens

    Brian, thank for your in-depth here. Gloria- I like your idea of forcing lenders to contact the “real” identity. I want to go even further. The expanded idea is that everyone gets notice about any financial transaction done in their name. Proposal in brief: 1) Bank email alerts are great but many have limitations–require universal alerts. 2) Credit Providers must notify a possible victim at an (email) address displayed in their credit report. 3) Credit Bureaus must provide the means for consumers to designate this address. Must also alert consumers whenever credit is pulled and whenever anyone submits favorable or derogatory evaluations.
    Document: https://cabujones.files.wordpress.com/2017/10/universal-alerts2.pdf

  9. Kay

    Thanks to Equifax one of my credit cards (so far just one) has been used to make purchases online. A couple of the stores wouldn’t ship – Home Depot and Lowe’s ash but others did. I’m keeping tabs on all the other cards and my bank account!

Comments are closed.