Equifax Data Breach
Equifax Data Breach | |
---|---|
Short Title | Credit Reporting Agency Equifax Was Hacked |
Location | United States |
Date | 2017 |
Solove Harm | Aggregation, Insecurity, Interrogation |
Information | Identifying, Medical and health, Authenticating, Demographic, Credit |
Threat Actors | Equifax Inc., China’s People’s Liberation Army |
Individuals | |
Affected | American citizens |
High Risk Groups | |
Tangible Harms |
One of the United States’ largest consumer credit reporting agencies was hacked and trade secrets and the personal data of about 145 million Americans was stolen.
Description
In 2017 one of United States’ largest credit reporting agencies was hacked and trade secrets and the personal data of about 145 million Americans was stolen.
In 2020 members of China’s People’s Liberation Army were charged for unauthorized access to the names, birth dates, and Social Security numbers of almost half of all Americans. This is an example of Insecurity.
According to the media, this became possible due to a vulnerability in Apache Struts software which Equifax used. Equifax’s security team didn’t deploy the patch that was offered by Apache to prevent breaches after they disclosed the vulnerability. This left the drawbridge in the Equifax system and allowed attackers to gain access to Equifax’s web servers and to get hold of employee credentials.
In 2019 there was a class-action lawsuit against Equifax, where one of the allegations was the storage of personal information in plain text instead of encrypting it. The suit also stated that Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes.
Another issue about Equifax is Aggregation. It collects and stores big volumes of different categories of personal information about individuals. Given the volume and granularity of the data, the attackers could access not only the information that was in the databases (names, birth dates, social security numbers) but reveal such information as medical or financial records.
Another violation that can be identified here is Interrogation, as hackers' actions can be interpreted as probing for personal information through Equifax's systems.
Laws and Regulations
Sources
https://www.nytimes.com/2020/02/10/opinion/equifax-breach-china-hacking.html
https://www.nytimes.com/2020/02/10/us/politics/equifax-hack-china.html
https://www.wired.com/1995/09/equifax/