As you may know already, Equifax, one of Americas largest credit companies was the victim of a data breach earlier this year. Data held on as many as 143 million US consumers was stolen and it’s now coming to light that the attack could’ve been avoided simply by patching.
The attackers were able to access the data through a vulnerability in Apache Struts (An open-source web application framework). The vulnerability however, had been patched months before the attack took place. Patching and keeping software up to date is a critical practice when maintaining a cyber-secure environment.
When a vulnerability is discovered and patched, patch notes will be released containing information about what’s been fixed in the new version. Whilst this is important information that consumers need to know, it also inadvertently tells hackers what to look for when targeting unpatched platforms.
Further evidence has come to light that the Equifax web portal was utilising one of the worst possible username and password combinations: admin and admin. Whilst it’s not been revealed if this was exploited during the breach, using default vendor passwords meant it would only have been a matter of time before someone took advantage.
We are told regularly that we should have a complicated password with a mix of upper-case letters, lower-case letters and numbers. How many of us actually do it though?
A study carried out by mobile identity company TeleSign, has uncovered some scary statistics surrounding passwords. Their findings showed that 47% of people use passwords that are at least 5 years old. Even more shocking, 21% of people surveyed used passwords that were over 10 years old.
The importance of using a complex password cannot be understated. It only takes a few seconds to create a complicated password and it could potentially save your business tens of thousands of pounds. More importantly, it could save your customers from being the victims of fraud.
Unfortunately due to the implications of the attack, Equifax now stand to lose an untold amount of money from the long-term reputational damage that goes hand-in-hand with a breach. Equifax were aware that their environment had been breached in July, but didn’t announce it officially until months later. Under new GDPR regulation coming in May 2018, companies will have 72 hours to report a potential breach.
To find out more about GDPR and how you can meet compliance, click here.
Equifax has announced that cybercriminals have exploited a vulnerability in their website, allowing them to gain access to certain files. The data breach appears to have taken place from mid-May through July 2017. The company discovered the unauthorized access on July 29 of this year. Cybercriminals stole names, Social Security numbers, birth dates, and addresses. In some cases, driver's license numbers and even credit card numbers were accessed. During the company’s investigation of this breach, it was also found that there was access to some personal information for some UK and Canadian residents.