Credit reference agency Equifax has finalized a settlement for a 2017 data breach that affected more than 147 million US citizens and 15 million Brits.
Equifax first admitted the massive breach in September 2017. Names, Social Security numbers, birth dates, addresses as well as driver’s license details of more than 10 million individuals were exposed after attackers used a known vulnerability to break into Equifax’s databases.
The breach exposed the credit card data of a smaller subset of around 209,000 victims.
An estimated 15 million British citizens were affected by the incident, of which 694,000 had sensitive data exposed. A smaller number of Canadians were also affected.
Subsequent computer forensics work revealed attackers had access to Equifax systems between May and July 2017, when the breach was detected and resolved.
The root cause of the attack was a critical Apache Struts vulnerability, discovered and resolved in March 2017, that was left unresolved on at least one web-facing Equifax server.
Attackers took advantage of an unpatched Apache Struts installation to hack into Equifax’s dispute resolution portal.
This compromised server acted as a springboard that allowed hackers to access Equifax’s internal systems before stealing credentials that allowed them to query its databases.
Database queries were stored in compressed files that were slowly and systematically siphoned off.
In February 2020, US authorities unsealed an indictment charging four named members of the Chinese military with the cyber-attack.
The quartet – alleged members of the PLA 54th Research Institute – were served with a nine-count indictment, as detailed in a US Department of Justice statement on the case. The Chinese authorities deny any involvement in the hack.
Global settlement
Equifax has agreed to a global settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau, and 50 US states and territories.
The settlement includes up to $425 million to help people affected by the data breach, as explained in an update from the FTC.
A portion of this figure is earmarked to cover losses and expenses – legal and otherwise – incurred by victims of identity theft and fraud, while some will likely go towards covering credit monitoring services and the remainder going to claimants who stake their claim before a January 2020 deadline.
The Daily Swig asked the FTC to offer an estimate on the number of claimants and the payouts each is likely to receive. No word back yet, but we’ll update this story as and when more information comes to hand.
Source: https://portswigger.net/daily-swig/equifax-finalizes-data-breach-settlement-with-us-regulators
