![]() Though there's no evidence the software could allow a serious breach of Equifax data, x0rz noted: "Old IT systems could indicate lack of 'renewal' procedures, old and unpatched software."Īnother cybersecurity engineer, using the name Zemnmez, said Equifax shouldn't have allowed so much information to be accessible via a breach of its public-facing web applications. "It really looks like they don't care about security on their website - not surprised they got breached, certainly easily," x0rz added. it's like stepping back in time a decade. Kevin Beaumont, a British security pro who's spent 17 years helping protect businesses, found decade-old software in use:Įquifax's infrastructure is a weird mix of IBM WebSphere, Apache Struts, Java. Researcher Kenneth White discovered a link in the source code on the Equifax consumer sign-in page that pointed to Netscape, a web browser that was discontinued in 2008. Now, other security researchers, intrigued by Equifax's admittance that the just-announced hack exploited a vulnerability on its website, are probing the company's infrastructure and turning up what they claim are worrying finds. The good-guy hackers have found myriad old technologies running the Equifax site, many of which could be vulnerable to cyberattack. Such XSS bugs allow attackers to send specially-crafted links to Equifax customers and, if the target clicks through and is logged into the site, their username and password can be revealed to the hacker.īasic XSS on Equifax, still working after being reported in 2016 ¯_(ツ)_/¯ (h/t #equifaxbreach #XSS /Kic3NIO9GQ Skip forward to 2016 and a security researcher found a common vulnerability known as cross-site scripting (XSS) on the main Equifax website, according to a tweet from a researcher who goes by the name x0rz. Going further back four years, Equifax reported to the New Hampshire attorney general of a breach, admitting that between April 2013 and January 2014, an "IP address operator was able to obtain the credit reports using sufficient personal information to meet Equifax's identity verification process." There were other smaller data leaks reported by Equifax to the AG, though they only appeared to affect a handful of people. In January 2017, Equifax was forced to confess to a data leak in which credit information of a "small number" of customers at partner LifeLock had been exposed to another user of the latter's online portal. ![]() In its disclosure, Equifax said the unauthorized access to the information occurred between Apand March 29 the following year. As independent cybersecurity reporter Brian Krebs reported in May 2017 an Equifax note to customers that hackers had used personal information to guess personal questions of employees in order to reset the 4-digit PIN given and stolen tax data. In closing the case, Equifax agreed to stop using those default PINs.īut problems with PINs appeared to have continued after that settlement in September last year. A determined hacker could gather such information by scouring the web, or duping a target into coughing up the information. The PINs, according to the plaintiff complaint, consisted of the last four digits of an individual's social security number and their four-digit year of birth. The flaw was the result of an Equifax decision to have client employees access their data with the use of default PIN numbers. ![]() the claims could be brought again), with the stipulation that Equifax fix a glaring security issue. the matter would be closed permanently), arguing the plaintiffs were basing their demand for compensation, as much as $5 million, on "speculative and hypothetical injuries." In the end, the case was dropped without prejudice (i.e. ![]() Lawyers for the class action plaintiffs argued Equifax had "wilfully ignored known weaknesses in its data security, including prior hacks into its information systems."Įquifax sought to have the case thrown out with prejudice (i.e. That suit related to a May 2016 incident in which Equifax's W-2 Express website had suffered an attack that resulted in the leak of 430,000 names, addresses, social security numbers and other personal information of retail firm Kroger. In one case, it had to change its ways following a class action lawsuit over an alleged lapse in security. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |