Content area
Full Text
THE EQUIFAX DATA BREACH AND ITS CONSEQUENCES
On September 7, Equifax Inc. announced a cybersecurity incident that the company estimated would impact approximately 143 million U.S. consumers. Equifax disclosed that hackers had exploited a U.S. website application vulnerability to gain access to certain files. Equifax's initial disclosure stated that, based on the company's initial investigation, the unauthorized access occurred from mid-May through July 2017.
Equifax stated that the accessed information primarily includes names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license numbers. Also accessed were credit card numbers for approximately 209,000 U.S. consumers and certain dispute documents containing personal identifying information for approximately 182,000 U.S. consumers. The company stated that, to a more limited degree, hackers also gained unauthorized access to certain information related to U.K. and Canadian residents.
The unauthorized access apparently was made possible by a flaw in a tool designed to build web applications, and Equifax admitted it was aware of the security flaw for two months before hackers gained access. The application tool, known as Apache Struts, is used by many large businesses and government organizations. Equifax used it to support its online dispute portal-a web location where Equifax customers can log issues regarding individual credit reports.
US-CERT, a cybersecurity division of the U.S. Department of Homeland Security, first identified and disclosed the Apache Struts flaw in March, according to Equifax. In a statement, Equifax said that the company's security department took actions to identify and patch any vulnerable systems; however, hackers were later able to exploit the flaw.
Equifax has been criticized both for not fully correcting the flaw in a timely manner and for waiting more than a month before alerting customers of the breach.
In an effort to address the potential impact on customers, Equifax offered to provide a year of free credit monitoring. However, the initial offer of this service required customers to provide more personal information to Equifax, gave unclear information regarding whether a customer's information had actually been compromised, and included an automatic enrollment for the credit-monitoring service at the end of the free year.
Additionally, included in the initial free credit-monitoring offer was Equifax's use of an arbitration agreement that would have prevented customers who took advantage of the free...