14
Sep 17

Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop

Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time — when hackers accessed the company’s systems in mid-May 2017.

equifax-hq

Both Visa and MasterCard frequently send alerts to card-issuing financial institutions with information about specific credit and debit cards that may have been compromised in a recent breach. But it is unusual for these alerts to state from which company the accounts were thought to have been pilfered.

In this case, however, Visa and MasterCard were unambiguous, referring to Equifax specifically as the source of an e-commerce card breach.

In a non-public alert sent this week to sources at multiple banks, Visa said the “window of exposure” for the cards stolen in the Equifax breach was between Nov. 10, 2016 and July 6, 2017. A similar alert from MasterCard included the same date range.

“The investigation is ongoing and this information may be amended as new details arise,” Visa said in its confidential alert, linking to the press release Equifax initially posted about the breach on Sept. 7, 2017.

The card giant said the data elements stolen included card account number, expiration date, and the cardholder’s name. Fraudsters can use this information to conduct e-commerce fraud at online merchants.

It would be tempting to conclude from these alerts that the card breach at Equifax dates back to November 2016, and that perhaps the intruders then managed to install software capable of capturing customer credit card data in real-time as it was entered on one of Equifax’s Web sites.

Indeed, that was my initial hunch in deciding to report out this story. But according to a statement from Equifax, the hacker(s) downloaded the data in one fell swoop in mid-May 2017.

“The attacker accessed a storage table that contained historical credit card transaction related information,” the company said. “The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.”

Equifax did not respond to questions about how it was storing credit card data, or why only card data collected from customers after November 2016 was stolen.

In its initial breach disclosure on Sept. 7, Equifax said it discovered the intrusion on July 29, 2017. The company said the hackers broke in through a vulnerability in the software that powers some of its Web-facing applications.

In an update to its breach disclosure published Wednesday evening, Equifax confirmed reports that the application flaw in question was a weakness disclosed in March 2017 in a popular open-source software package called Apache Struts (CVE-2017-5638)

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” the company wrote. “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

The Apache flaw was first spotted around March 7, 2017, when security firms began warning that attackers were actively exploiting a “zero-day” vulnerability in Apache Struts. Zero-days refer to software or hardware flaws that hackers find and figure out how to use for commercial or personal gain before the vendor even knows about the bugs.

By March 8, Apache had released new versions of the software to mitigate the vulnerability. But by that time exploit code that would allow anyone to take advantage of the flaw was already published online — making it a race between companies needing to patch their Web servers and hackers trying to exploit the hole before it was closed.

Screen shots apparently taken on March 10, 2017 and later posted to the vulnerability tracking site xss[dot]cx indicate that the Apache Struts vulnerability was present at the time on annualcreditreport.com — the only web site mandated by Congress where all Americans can go to obtain a free copy of their credit reports from each of the three major bureaus annually.

In another screen shot apparently made that same day and uploaded to xss[dot]cx, we can see evidence that the Apache Struts flaw also was present in Experian’s Web properties.

Equifax has said the unauthorized access occurred from mid-May through July 2017, suggesting either that the company’s Web applications were still unpatched in mid-May or that the attackers broke in earlier but did not immediately abuse their access.

It remains unclear when exactly Equifax managed to fully eliminate the Apache Struts flaw from their various Web server applications. But one thing we do know for sure: The hacker(s) got in before Equifax closed the hole, and their presence wasn’t discovered until July 29, 2017.

Update, Sept. 15, 12:31 p.m. ET: Visa has updated their advisory about these 200,000+ credit cards stolen in the Equifax breach. Visa now says it believes the records also included the cardholder’s Social Security number and address, suggesting that (ironically enough) the accounts were stolen from people who were signing up for credit monitoring services through Equifax.

Equifax also clarified the breach timeline to note that it patched the Apache Struts flaw in its Web applications only after taking the hacked system(s) offline on July 30, 2017. Which means Equifax left its systems unpatched for more than four months after a patch (and exploit code to attack the flaw) was publicly available.

Tags: , , , , ,

196 comments

  1. Predictably, what Congress is coming up with is not a system overhaul that will prevent such things from occurring and protect consumers when they do, but rather to force free credit freezing.

    https://www.reuters.com/article/us-equifax-cyber-warren/senator-warren-introduces-equifax-bill-launches-industry-probe-idUSKCN1BQ16B

    Big deal.

    There will be NO solution within the current system without massive public revolt and I have no reason to expect that.

    • A free credit freeze is a great start.

      Then we can focus on how we can securely identify people when they apply for credit. Until you have a solution for that what else can Congress do to solve this problem?

      • The freeze should be the default setting and only unfrozen when someone needs a loan. Poor design from the very beginning. Companies with this much consumer info that ignore security should be out of business.

      • Oh, it’s simple what else should be done. Convict the Equifax executives of criminal negligence for their business practices with respect to software and give them prison terms of at least 10 years apiece in a normal prison (not a ‘white collar crime’ country club prison). The situation would fix itself if there were ANY indication that the legal system is at ALL willing to charge companies with criminal negligence. Thus far, we’ve seen Toyota get away with killing people despite extremely egregious negligence, so that has set their expectations. In Toyotas case, their developers didn’t even have access to a bug tracker. The auto industry has a standard for firmware development coding practices. There are 94 ‘required’ practices and 30 ‘recommended’ practices. Toyotas code in question followed 4. (Probably by accident.)

        Equifax should be found guilty of criminal negligence for not seeking experienced software developers with knowledge of security, failing to give their software developers and system administrators the power to make necessary system modifications even when it interferes with business goals, not providing adequate regularly-updated training and access to adequate tools (I’m making an educated guess here that they weren’t just ignoring critical alerts from their security monitoring tools but didn’t have the tools to begin with. That’s an expense and IT is a cost center which should be reduced, not a critical component of the business… despite the fact it enables literally every single action every single employee takes.), etc.

        Would you drive across a bridge built by a company who hires and uses and ignores structural engineers the way modern companies do anyone who uses a computer?

      • IF YOU FROZE YOUR CREDIT VIA EXPERIAN IT’S NOT SAFE! You and or any hacker can unfreeze it using their, “online I forgot my freeze pin,” tool https://www.experian.com/ncaconline/freezepin. All one needs is your personal info to get your freeze pin.

        OMG we are screwed by these laggards!!!!

        • This is an interesting (and disturbing) side effect. You can recover your experian pin by providing the same data that Equifax just lost.

    • I would love to see a free credit freeze. I mean why does it cost to “opt-out” it’s no real work for the bureaus, right? It’s just changing a flag in my credit report from N to Y.

  2. my tweet of the day: I #phoned #Equifax. Their system #hungup after 3 menus. Went 2 their #website. They couldn’t #processMYcreditCard. WTF, Equifax, WTF?

    So, what’s a boy to do?

  3. Looks like Equifax will be mightily challenged to avoid becoming complete toast and remain a viable firm.

    • Maybe. But remember that WE are not their customers, we’re the product.

      Their biggest threat is legislative action, at either the Federal or State level. Or both.

      • Peter, I agree legislative solution is needed. I think there is little chance of that, given credit industry lobby and congressional purchase by finance companies. One glimmer of hope: congress persons victimized by the hack.

    • Not at all. They’ll weather the storm, and in about a year they’ll have millions of new paying customers for their worthess credit monitoring “protection racket” service.

    • I’m not so worried about them. They should be closed down and their CEO fired and possibly put on trial.

  4. A modest proposal…..
    EQUIFAX chose to hold data on all of those stolen cards.
    VISA, MC, others should consider demanding an accounting of the stolen Card Numbers. In Court, if necessary.

    Next? All those cards should be proactively replaced with new numbers – and EQUIFAX billed for the total cost (materials, labor, etc).

    Not perfect, but the economic hit to EQUIFAX could be the needed Stake in the Heart :).

  5. Senator Elizabeth Warren has introduced a bill in the US Senate to require all credit bureaus to provide free credit report freezing and unfreezing.

  6. #EquifaxIsRunByUnqualifiedIdiots

    CIO and CSO quit (fired): https://www.thestreet.com/story/14308112/1/equifax-execs-reportedly-resign-as-data-breach-criticism-intensifies.html

    “Equifax chief security officer Susan Mauldin was criticized for her lack of security experience. She listed a master’s degree in music composition on her LinkedIn page, since made private.”

  7. Equifax clearly needs the services of this fine company – http://www.equifax.com/help/data-breach-solutions/

    • LOL! The part that really gets me is this..

      “Here’s how our Response Team provides peace of mind.”

      We consult with you to create a customized Data Breach Response Plan that will enable you to:

      Quickly inform consumers, employees, and shareholders with pre-defined communications regarding the event and the steps you are taking on their behalf ;
      Offer the appropriate level of identity theft protection products based on the risk profile of the data breach (ask about our Data Breach Risk Assessment Matrix);
      Provide a dedicated Call Center to assist breached victims with product related questions after enrollment.
      Place Fraud Alerts on consumers’ credit files at all three credit reporting agencies as requested.

      • to be fair this service was probably through their fraud team and separate from Equifax’s corporate info sec team

  8. When will companies realize that cyber security is first and foremost a security function? Having to bargain and beg for a business unit to please patch a system instead of just being allowed to make it happen is stupid. Until we change this mindset breaches like this will continue. And btw – being an experienced IT person doesn’t make you qualified to be a CISO – it needs to be a security function ran by a security professional.

    • I dealt with lots of “CISO”s that lacked any practical knowledge of IT – They were useless. However, all the CISO with real IT backgrounds with were great. So, in my humble opinion – being experience in IT might not make you qualified to be a CISO, but not having real IT experience makes the CISO a joke….

    • There’s got to be better ways than “bargain and beg.”

      I know a group of people trying to change that by bringing transparency. So Equifax’s security rating will show a downgrade if they fail to patch a critical vulnerability timely.

      It’s time we have a voice about our own data before it’s too late.

    • It goes beyond that. The dev / QA process for an upgrade like that can be time-consuming (no excuse for this much time, especially with their PCI compliance requirements), but there were other ways to mitigate this situation. A properly-configured application-level proxy should be in between the web server and the back-end database to validate the type and rate of queries going would have almost certainly helped. A properly-configured reverse proxy / load balancer could have caught and blocked the exploitation attempts at an HTTP level. Timely patching is always critical, but that’s just one defensive layer. Having multiple layers is important because human and organizational error will always be a thing.

  9. Thank you for any other wonderful post. The
    place else may anybody get that type of information in such
    an ideal way of writing? I’ve a presentation next week, and I am at the look for
    such info.

  10. The Equifax https://www.equifaxsecurity2017.com has this offer:

    “Equifax has established a dedicated website, http://www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; …”

    Interesting enough, the last line seems to be somewhat disingenuous baiting. I did a freeze on all the credit bureaus and Equifax did not charge me for the freeze.

    • You can’t register a non-US address, apparently they’ve never considered the possibility somebody might now live and work outside the US.

  11. I guess what shocks me most is the seeming lack of public outrage over this. I don’t know if it is apathy, a lack of understanding of the scope of this by the general public or “breach fatigue” because large data intrusions have become a weekly occurrence. It should be pitchforks and torches in the streets and it’s not. The mainstream media has not really embraced this story either…if you want any meaningful info on this don’t bother with CNN, FOX, NBC, etc. Krebs, the tech sites and the business sites are the only ones that seem to be concerned at all with reporting this.

    • Just having your card number stolen usually only means that the consumer gets a new card in the mail with no liability.

      I don’t know the stats – I would guess that identity theft is rarer. If that were going on all the time there would be a huge outrage.

    • Should not be surprised, standard news cycle for any breaking news story is long over. This one got legs today because the CEO/CISO retired. Most non IT people I talk to want to see the company get justice and go out of business, with no clue about their own accounts being slowly drained or new lines of credit being opened because of their own inaction in taking steps to freeze credit and the PITA of getting new cards issued. The public is more interested in the shiny objects of breaking news and trending videos. So don’t be surprised. I’m sure many of us have bought something at TJ MAXX, Target or Home Depot since their breaches (home depot actually did a great job, imho, of PR, but I have no idea of what any of these and other companies did to protect their systems from futher abuse / misuse, surely they learned their lessons)

  12. I think the Government or whoever is masquerading as the Government and Mass Media Monotony have achieved exactly what they wanted. A predominately dumbed down, hopeless, bankrupt and apathetic middle class and slave population that couldn’t think its way out of a paper bag much less react to this breach.
    And even here on this blog, the obvious answer is to bring intense pressure on Christopher Carr, Attorney General of Georgia to revoke the Corporate Charter of Equifax and dismantle the company. As much as I like Elizabeth Warren do we really need another useless investigation that will result in nothing. If there is anything the government is good at, its finding itself and those who make their payoffs on time innocent of all charges. How many elected officials do you think sold their Equifax stock based on insider information before September? I can almost guarantee you the number is greater then zero.

  13. Canada, Argentina and UK have been impacted too. We have to wait to receive notification in writing, which I assume will be snail mail. I am Canadian and just found out a few days ago that the Canadian bank I have my mortgage with partners with Equifax. Inexplicably Canadians are prevented from invoking a credit freeze. It is like being placed in a dark room with no door or windows and there is definitely no movement outside.

  14. and not because they didn’t patch a vulnerability, but because they literally had ZERO data policies on their back-end.. Correct me if I’m wrong, but shouldn’t such a entity be at least PCI compliant??

    • Also they must have unencrypted database commection strings in their config files including login and passwords. Otherwise whatever script they created to access and display the data wouldn’t have been able to comnect to the database.

      It is amazing that a company storing so much confidetial data would operate this way. It makes me think they hired the cheapest IT help they could find.

  15. “the Apache Struts vulnerability was present at the time on annualcreditreport.com”

    I hope that annualcreditreport.com no longer has this vulnerability – does anyone know??

    • This answer isn’t what techie-know-hows want to know; but, most likely if they follow the news it’s patched. Otherwise, it seems that information is non-public knowledge, until a breach.

      annualcreditreport.com/security.action says
      “We know how important it is for your online transactions to be secure”.™

      This past week I’ve quized two companies in their use and safeguard of personal information. AnnualCreditReport.com could be contacted; but, I suspect a non-transparent answer would be given.

      And continues on in a non-transparent way:
      We safeguard the privacy of the information you give us when you fill out our forms online. We encrypt the information to protect it while you are filling out the form, and also when we send the information to any of the nationwide consumer credit reporting companies. We use physical, electronic, and procedural safeguards to protect your personal information.

    • This answer isn’t what techie-know-hows want to know; but, most likely if Central Source LLC, which maintains the site, follows the news and it’s patched. Otherwise, it seems that information is non-public knowledge, until a breach.

      annualcreditreport.com/security.action says
      “We know how important it is for your online transactions to be secure”.™ (trademark added by me and added to my brain until the site is breached; then the trademark and company won’t be as legitimate when I remove my trademark)

      This past week I’ve quized two companies in their use and safeguard of personal information. AnnualCreditReport.com could be contacted; but, I suspect a non-transparent answer would be given.

      And continues on in a non-transparent way:
      We safeguard the privacy of the information you give us when you fill out our forms online. We encrypt the information to protect it while you are filling out the form, and also when we send the information to any of the nationwide consumer credit reporting companies. We use physical, electronic, and procedural safeguards to protect your personal information.

    • This answer isn’t what techie-know-hows want to know; but, most likely if Central Source LLC, which maintains the site, follows the news and it’s patched. Otherwise, it seems that information is non-public knowledge, until a breach.

      annualcreditreport.com/security.action says
      “We know how important it is for your online transactions to be secure”.™ (trademark added by me and the phrase added to my brain until the site is breached; then the trademark and company won’t be as legitimate to me when I remove my personal trademark)

      This past week I’ve quized two companies in their use and safeguard of personal information. AnnualCreditReport.com could be contacted; but, I suspect a non-transparent answer would be given.

      And continues on in a non-transparent way:
      We safeguard the privacy of the information you give us when you fill out our forms online. We encrypt the information to protect it while you are filling out the form, and also when we send the information to any of the nationwide consumer credit reporting companies. We use physical, electronic, and procedural safeguards to protect your personal information.

  16. Nothing special !! Hacking is daily life…stolen data stolen funds thats our daily life. terroristz..and hacking.

    • Hacking may be the new normal but stolen data doesn’t have to be. IPS/IDS are well and good but it really comes down to intelligent system designs and patching routines.

  17. I read this weekend in the Globe and Mail that Equifax has spent the weeks prior to notifying about the breach lobbying Congress for less oversight and lower penalties in the event of a data breach.

    That is quite the coincidence.

    If only it had worked… if only.

  18. Equifax is really beginning to lose control. My info came up as impacted when I used their tool. Since then, trying to sign up for their free year of coverage has been a woefully lacking experience. My enrollment has been pending for a week, their call center has no way of tracking enrollment status, and their call center has no call logging system to track my call history so I have to start over again every time I call in.

  19. British Gentleman

    According to whitepaper by Equifax for UK: (www.equifax.co.uk/data-breach/react.html)
    “Company data breaches
    Almost three quarters (73%) of GB adults think that companies should tell
    them that they have experienced a data breach, and 63% of respondents
    would expect that notification to come within hours. A further 21% would expect
    to hear on the same day. To meet these high expectations, companies must
    ensure they have processes in place to manage such a crisis efficiently
    and effectively”
    Bring to mind the word hypocrisy?

  20. On my last attempt to freeze my Equifax account I was told to mail in the request. Prior attempts had given me the “we cannot process your request at this time” message. I’m picturing an army of minimum-wage temps processing these mail-in requests and having access to the info. Does anyone know what their operation looks like on site? Do they manage paper any better than they do electronic data? I may have nothing to lose at this point but I do wonder.

    • Try doing it during wee hours of the AM. I managed to get mine to go through after 2 hours of trying between 4 and 6 AM. EDT. Good Luck!

  21. I’m absolutely amazed to see so many people STILL willing to give money and potentially even more personal info in order to receive some kind of promise of a “credit lock”.

    Equifax has proven themselves COMPLETELY UNTRUSTWORTHY with 3 data breaches now. I am of the mind that the only safe way anyone should to deal with them is to not deal with them at all!

    So what can you do besides getting on bended knee, offering up even more data than they may already have on you, and paying their extortion fees in the hope of keeping your data safer from here n out? All you can really do is be very pro-active and watch your statements and transactions like I hawk.

    Paying these predators in suits for a life lock or ANY further ‘security feature’ smacks of cynical EXTORTION!

    Equifax Data Breach is a 10 out of 10 Scandal

    http://therealnews.com/t2/index.php?option=com_content&task=view&id=767&Itemid=74&jumival=19960

    • Bob, with respect, you and I are not Equifax’s customers. We are their product. Their customers are electric companies, landlords, credit card issuers, and the like.

      We don’t, under current regulations, have the choice of “not dealing with them at all.”

      I suppose if you and I and everyone else boycotted Equifax’s customers then Equifax might be taken down. But can you imagine the conversation?

      Landlord: OK, once I do a credit check the apartment is yours.

      Me: Cool. Which credit bureau do you use?

      Landlord: Huh?

      Me: You have to ask somebody whether my credit is good? Who do you ask?

      Landlord: Expi something?

      Me: Is that Experian or Equifax?

      Landlord: Hang on… click click … it’s Equifax.

      Me: Forget it. I won’t do business with people who do business with Equifax. Thanks anyway. Click.

      Landlord: ???

  22. Untrustworthy would assume that these people somewhat competent, but understand what they are doing. Nothing could be further than this.

    http://www.freeze.equifax.com uses a Symantec SSL Certificate issued in 2015, that will depricated in later versions of Chrome and Firefox due to security issues.

  23. Note:
    To freeze your credit account at EQUIFAX, the link is:

    https://www.freeze.equifax.com/

  24. [snip] “Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents and is working with regulators in those countries.”[/end snip]

    We’re still waiting for some scrap of cheese/info and have NO method nor page link to put our accounts on “freeze”!!!!

    A Freeze on all accounts MUST BE THE NEW DEFAULT! NO ONE SHOULD HAVE TO HAND OVER ANY MORE INFO TO REQUEST A FREEZE !!!!!!!!!!

  25. When you sign up for Trusted ID, here’s a bit of the fine print from Equifax:

    Their Privacy Policy says that they have the right to do marketing promotions. And even after your account is inactive, your personal info will remain in their database for 2 years… UNLESS you call and ask them to stop.

    Why should we have to take initiative to get them to stop bothering us?

  26. No wonder why, even Google is controlled and owned by kgb-fsb.
    so as facebook and all others. im surprised people dont know this…and fsb is behind cybercrime 100%

  27. I see you don’t monetize your website, don’t waste your traffic, you can earn extra bucks
    every month because you’ve got high quality content. If you want to know how to make extra money, search for:
    best adsense alternative Dracko’s tricks

  28. Brian’s article says, ““The attacker accessed a storage table that contained historical credit card transaction related information,” the company said.”

    WTF? WTF?

    Why are they holding this data at all? If they do have a good reason to hold it, it should, especially the card numbers, be encrypted at rest in database tables.

    When a company goes through PCI (payment card industry) audit, the auditor always asks “why do you hold on to this data?”

    Brian, that might be a good followup question for interviews.

  29. Does anyone know how to confirm a security freeze has actually been done? After receiving letters referencing “credit offer mailing list…” but no mention of a security freeze or PIN after initiating a security freeze(one by mail, two by website) but having been charged the $10.00 security freeze fee I’m not confident there is actually a security freeze in place.

    I would really appreciate any suggestions on confirming the status of these security freezes.

    • You should get a mail to your address of record in about 2- 3 weeks from all the credit agencies. If you do NOT get something after 3 weeks you can call them but I imagine they are quite swamped. I had to get a relatives PIN reissued which they only do via mail and that took about a month.

      Best of luck

    • I have only done the one via Equifax website, and after I finally got it to go through, after trying over and over, I got a page to print off and keep with my PIN number. Sorry, I don’t know about the other sites, or by mail. Equifax is the only one I have done so far. I assume it went through since I got a PIN number to print off.

  30. Good Ole' Equi-Hax

    Since Good Ole’ Equi-Hax sells your data, and the hackers will do the same, it’s simply a lose-lose situation for anyone that has established any type of credit line. The only exception to this rude behavior of untrust might be hobos, hermits and Sasquatch.