Photographee.eu - Fotolia
Risk & Repeat: Equifax data breach response called into question
In this week's Risk & Repeat podcast, SearchSecurity editors tackle the massive Equifax data breach and how the credit bureau's response to the security incident is creating more problems.
The Equifax data breach that exposed the personal data on 143 million U.S. consumers has led to questions about the credit reporting company's response to the security incident.
Equifax's data breach notification was officially made last week, nearly six weeks after the intrusion, which exposed addresses, birth dates and Social Security numbers, was discovered by the company.
The company provided a new website for consumers to check if their personally identifiable information (PII) was exposed in the breach, but the website was rife with problems. For example, the site's URL -- equifaxsecurity2017.com -- looks suspicious, and it is built on a stock version of WordPress, which has experienced a number of security issues and attacks in recent years. In addition, the site's TLS certificate didn't perform revocation checks, though Equifax has since addressed that issue. Since the Equifax data breach checker requires users to enter the last six digits of their Social Security numbers, users could be at further risk if the site is compromised.
There were other issues with the Equifax breach response. The company's credit monitoring and identity theft protection service, dubbed TrustedID, was offered to consumers for free for up to one year, but the terms of service contained confusing language that appeared to prohibit class-action lawsuits against Equifax -- though the company later clarified its TOS. Several consumers also discovered that the TrustedID service generated PINs that were not random numbers, but sequential digits based on the date and time users enrolled.
Along with questionable response moves, concerns about the nature of the attack and the scope of the Equifax data breach continue to grow. While Equifax attributed the breach to a web application vulnerability, it hasn't disclosed the specific application or vulnerability involved.
Why was the PII for so many Americans apparently left unprotected? What long-term effects will the Equifax data breach have on enterprise security? How could the company have handled its breach response better? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.