Equifax reveals that 3.6 million more people were affected by the data leak
Equifax, a consumer credit reporting agency, has finally sent an official report to a few US Congressional committees regarding the massive data breach that was revealed on September 2017. The company had previously exposed the approximate number of its data breach, which totaled to 143 million consumers from UK, USA and Canada. The massive information leak occurred after Equifax failed to identify and patch Apache Struts vulnerability.
On May 4, it was revered in a U.S. Securities and Exchange Commission (SEC) Form 8-K filing that the personal data of as many as 146.6 million users was leaked. As it is obvious, 3.6 million more people than it was initially announced by the company fell victims of the information breach. Sure, it does not seem like a huge difference, but there is yet another 3.6 million people who haven't been warned about this incident properly.
Type of exposed data announced
Equifax has also reported more details involving the incident, including the following numbers of lost data:
- Name – 146.6 million
- Date of Birth – 146.6 million
- Social Security Number – 145.5 million
- Address Information – 99 million
- Gender – 27.3 million
- Phone Number – 20.3 million
- Email Address – 1.8 million
- Payment Card Number and Expiration Date – 209,000
- TaxID – 97,500
- Driver’s License State – 27,000
Additionally, the SEC form revealed the amount of certain government-issued identification card pictures exposed (note: the “Other” category includes such documents as state-issued IDs, military IDs and similar):
- Driver’s License – 38,000
- Social Security or Taxpayer ID Card – 12,000
- Passport or Passport Card – 3,200
- Other – 3,000
These details were discovered when the company analyzed the government-issued IDs which were uploaded to the official dispute portal by victims.
Data breaches are becoming more frequent – security measures should be undertaken
Equifax is not the only company that got affected by Apache Struts vulnerability. There are as much as 10,801 organizations that are also believed to download and implement the vulnerable versions of the software. According to the research, 57% of those affected companies were included in Fortune Global 100.
According to Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, even Equifax could have avoided the terrible data breach, if only they would patch it on time:
Seven months should be enough time for organizations to install the necessary patches and it's unfortunate that so many still choose to download the older vulnerable versions. There is really no excuse for this. CVE-2017-5683 was fixed in the Apache Struts versions 2.5.13 in September 2017
In addition to software vulnerabilities, there are also chances of other data leaks, including system bugs or accidental exposure. Therefore, it is vital to not only patch software on time and obtain reputable security software, but also keep passwords safe and change them regularly.