At the beginning of September, 2017, it became known that a large-scale data leak was made by one of the largest credit bureaus in the world, Equifax. Then representatives of the North American division of Equifax reported that unknown intruders possessed personal information of 143 million people (there are 324 million people in the United States alone), including their social insurance and driving license numbers, full names, addresses and so on. In addition, in 209 000 cases, the documents also included information about bank cards of victims.
Initially, details of the attack itself were reported little, but it later became known that attackers compromised the company through a vulnerability in Apache Struts. It turned out that unknown attackers used the vulnerability CVE-2017-9805, which was eliminated as early as in March 2017. Since Equifax hacking occurred after the patch was released, the company had time to install the update, but for some reason no one bothered with it.
Let me remind you that in September it was reported that Equifax branches in other countries were not affected, although the leak affected the initially unnamed number of residents of Canada and the United Kingdom. Later, representatives of the bureau stated that as a result of the incident, about 400 000 British people were injured.
Yesterday, October 10, 2017, Equifax introduced a new press release, which significantly adjusted the number of victims. Thus, it became known that the leak affected 15.2 million people in the UK.
Fortunately, there is good news. So, it is reported that only 693,665 Britons were seriously affected, while the hacked records of 14.5 million people contained only names and dates of birth. It is unlikely that this information can somehow harm the users. As a result, according to new, updated data, the following information leaked:
- 12,086 people had accounts on Equifax.co.uk, and their email addresses fell into the hands of criminals;
- 14,961 users, also registered with Equifax.co.uk, were harmed by the leakage of the user's password, the secret question and the answer to it, and also the partial leakage of the bank card number;
- 29,188 people were victims of data leakage on driving licenses;
- 637 430 phone numbers of users also fell into the hands of criminals.
Representatives of Equifax and employees of the British National Center for Cybersecurity have already begun to notify all victims of the incident.
It's worth mentioning that Equifax has been correcting the information about the incident for the second time already. So, last week, another 2.5 million Americans were added to the list of victims, and it was also stated that only 8,000 people were harmed among Canadian citizens.
Now, after hacking, the credit history bureau is going through not the best time. Immediately after the official announcement of the incident, the CIO and CSO of the company left their posts, and last week the CEO of Equifax, Rick Smith, resigned.