The impact of the breach at credit reporting and monitoring agency Equifax will likely be felt for months and years to come, as the full scope of the security incident is uncovered. Equifax publicly disclosed on Sept. 7 that attackers gained unauthorized access to it systems, exposing personally identifiable information on 143 million American consumers. The breach has also led to multiple legal actions, including at least one class-action lawsuit.
At this point in the investigation, Equifax has not publicly disclosed the root cause of the data breach. The only insight the company has provided is that the attackers were able to exploit a U.S. website application vulnerability to gain access to certain files.
While web application vulnerabilities can be found by internal corporate security teams, third-party security researchers are also capable of discovering flaws. There is a challenge, however, in that not all organizations make it easy for security researchers to responsibly disclose vulnerabilities.
“We looked at Equifax’s website and found no easy way for hackers to disclose anything,” HackerOne CEO Marten Mickos wrote in an email statement sent to eWEEK. HackerOne is in the business of running managed bug bounty programs for organizations.
Mickos noted that several Equifax bugs have been disclosed via the Open Bug Bounty, which is a nonprofit project designed to connect hackers with website owners to resolve bugs in a transparent and open manner.
“One of [the bugs] was disclosed for their UK website and took nearly five months to resolve and the second is for the U.S. website, which has yet to be resolved,” he said.
It is unknown if the unresolved bug that was reported to the Open Bug Bounty is related to the Equifax breach.
As part of its breach response, Equifax is providing free identity and credit monitoring to impacted consumers via its own TrustedID service. However, on both Sept. 7 and 8, there were widespread reports that consumers were unable to access the identity protection enrollment site.
Aside from the likely high volume of traffic, the site (EquifaxSecurity2017.com) was temporarily blocked by Cisco’s OpenDNS web filtering service. In a Twitter post, OpenDNS founder David Ulevitch confirmed that the Equifax site initially triggered the criteria for identifying a site that is potentially malicious, including volume of traffic spiking from zero and the fact that it was a new domain.
For those who have been able to reach the identity protection enrollment site, there have been multiple reports of concerns about the legal terms of use. As part of the enrollment terms for TrustedID, consumers must waive their rights to sue Equifax or participate in any class-action lawsuit against Equifax.
At least one class-action lawsuit has already been filed against Equifax over the data breach incident.
“Plaintiffs file this complaint as a national class action on behalf of over 140 million consumers across the Country harmed by Equifax’s failure to adequately protect their credit and personal information,” the class-action suit filed in Oregon federal court on Sept. 7 states.
Equifax consumers aren’t the only ones taking legal action, as investors are also now looking at potential wrongdoing by the company as well. Multiple executive officers of Equifax allegedly sold Equifax stock days after the company first became aware of the breach on July 29. Corporate litigation firm Bronstein, Gewirtz & Grossman stated in a press release that it’s investigating whether there was a violation of U.S. securities law.
“The investigation concerns whether Equifax and certain of its officers and/or directors have violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934,” the company stated.
Following the Equifax data breach disclosure on Sept. 7, Equifax stock has declined by at least 13 percent as of 1 p.m. ET on Sept. 8.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.