UPDATED 19/9/17 to correct the fact that US Info Search never sold any data to Ngo Equifax made headlines on September 7, 2017, when it announced its discovery of a data breach earlier in the year. In the security incident, computer criminals leveraged a "U.S. website application vulnerability" to view some of the consumer credit reporting agency's files, access which helped them compromise 143 million U.S. consumers' Social Security Numbers, dates of birth, and other sensitive personal information. It's thought the attackers also exposed 209,000 American's credit card numbers along with the personal information of as many as 44 million UK citizens and an undisclosed number of Canadians. While consumers take the time to investigate whether the breach affected them and to protect themselves against identity theft, it's important to explore the incident's historical significance. A look back to recent years reveals this breach isn't the first time that hackers have targeted a credit bureau in the United States. Here are four other security events that affected or involved U.S. credit bureaus in some way.
1. Experian/Court Ventures (Prior to March 2012)
In March 2012, global information services group and credit bureau Experian purchased a legal data retrieval services company called Court Ventures. Sometime after that purchase, the U.S. Secret Service notified Experian that Court Ventures was selling information from US Info Search, a reverse data lookup platform, to a Vietnamese national named Hieu Minh Ngo. The individual posed as a business owner to access data through Court Ventures, whose contract with US Info Search predated Experian's purchase of the data retrieval firm. Some news reports at the time said the incident compromised a total of 200 million Experian customers' records containing personal information. In a statement posted to its website, Experian clarifies that Ngo didn't access any of its databases and instead exposed a "much lower" number of records stored by US Info Search. Even so, the credit bureau filed a lawsuit against the former owners of Court Ventures "for permitting the sale of US Info Search’s data to Ngo."
2. Equifax, Experian, and TransUnion (March 2013)
Equifax, Experian, and TransUnion all acknowledged intrusions into their systems after information pertaining to celebrities and high-profile figures ended up on a website called Exposed. According to Computer Reseller News, sensitive data for former First Lady Michelle Obama, Paris Hilton, former Secretary of State Hillary Clinton, and former FBI Director Robert Mueller ended up on the site after attackers gained "fraudulent and unauthorized access" to those individuals' credit reports. They did so without the use of malware or software vulnerabilities. Instead, they leveraged publicly available information to bypass the three credit bureaus' authentication measures by answering all the necessary security questions.
3. Experian/T-Mobile (December 2013 and October 2015)
On 30 December 2013, T-Mobile submitted a letter to the Office of the Attorney General about a data breach that affected a "relatively small" number of customers. The security incident occurred after an unauthorized party gained access to a file stored on a server operated by one of the mobile operator company's suppliers. T-Mobile later identified this supplier as Decisioning Solutions, an authentication company which Experian acquired in April 2013. Experian ultimately folded Decisioning Solutions into its Decision Analytics platform. T-Mobile disclosed another breach less than two years later. This time, a hacking incident involving Experian's systems resulted in the theft of 15 million T-Mobile customers' Social Security Numbers and other personal information.
4. Equifax (May 2016)
Back in May 2016, grocery giant Kroger sent out a letter to current and some former employees about a security incident. The breach took place when attackers accessed Equifax's W2Express website, a resource which offers downloadable W-2 forms for companies. Attackers apparently gained access to Kroger employees' W-2 forms by entering in their Social Security Numbers and birth years after stealing the information from other sources. Subsequently, they exposed all affected employees' tax data and salary details.
A Call to Action for Organizations Everywhere
Tim Erlin, vice president of product management and strategy, feels the security events above and the most recent Equifax breach highlight the need for credit bureaus and organizations everywhere to develop a plan that helps them defend against intruders. As he told eSecurity Planet:
"Information security teams at other organizations should use this incident as an opportunity to evaluate their own plans. All organizations that collect and store sensitive data are targets. Doing the basics right, such as ensuring secure configurations, managing vulnerabilities and capturing log data, is the most effective way to prevent breaches."
It is essential that businesses prioritize their risks. The first step in doing so is getting visibility into what’s on your network – you can’t protect what you can’t see. After implementing a discovery and inventory process, systems should be hardened and secured. Furthermore, it’s important for organizations to continuously assess and remediate vulnerabilities in their IT environment with a vulnerability management solution. To learn how Tripwire solutions can help secure your business, click here. Alternatively, you can see how a we ruined a customer’s day (but saved their year) here: https://www.youtube.com/watch?v=ym_7p4oKdsY
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
