Equifax Data Breach

On 7 September 2017, Equifax announced a data breach of 143 million Equifax customers involving the compromise of names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. A subset of victims, apparently, also had credit card numbers and “dispute documents” compromised. Strikingly, the breach occurred over several months, apparently from May to July 2017.

Equifax released very little technical information about the breach itself other than to state that the perpetrators “exploited a U.S. website application vulnerability.” The lack of information during such incidents increases concern.

However, research suggests that the breach may have included the Equifax credit report dispute system and possibly an application affected by the Apache STRUTS vulnerability (or vulnerabilities).

  1. The announcement noted “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases,” suggesting that the breach occurred in a related, not the main, Equifax system.
  2. “Only” 143 million victims were affected, thus suggesting a subset of all Equifax customers.
  3. An Equifax job posting seeks Apache STRUTS experience, suggesting the use of a web application platform.
  4. US CERT released two, security-vulnerability notices in 2017 related to Apache STRUTS (VU#112992 in September and VU#834067 in March).
  5. The compromise included, in part, “dispute documents.”

Equifax will likely reveal more over the next few weeks. But initial research raises questions about the extent of the breach and the systems affected.