Equifax, one of the biggest consumer credit reporting company disclosed a massive breach in their systems on September 7, 2017. This breach reportedly compromised details of more than 143 million Americans and undisclosed number of individuals from Canada and around 400,000 from United Kingdom. The company stated that their technical teams discovered the breach on July 29, 2017 and has been investigating the breach since then.
Personal information such as customer’s names, social security numbers, birth dates, addresses etc. were disclosed for all the affected customers. In addition to that, credit card numbers for 209,000 U.S. customers and dispute documents for 182,000 U.S. customers were leaked.
There were several speculations for exploits that may have been used by hackers for this breach. Later on September 13, 2017, the company confirmed that they were breached using a vulnerability in Apache Struts framework used in U.S. website application (CVE-2017-5638). This vulnerability was disclosed as a zero day in March 2017 and was patched in the same month. Apparently, Equifax did not lacked to update their applications in time and are paying a huge price for this negligence.
Following week, a security journalist published news of company’s employee portal for Argentina exposing details of employees and users. The online portal named Veraz was supposed to help employees to manage credit report disputes. Numbers of affected employees is around 100 whereas the numbers of customers affected reached more than 14,000.