When 143 million people have already been affected by a massive data breach at one of the three major credit reporting agencies, what’s a few million more? That’s apparently the reality for Equifax, which upped its estimate of how many consumers were affected in the hack just hours before company executives were scheduled to discuss the incident with lawmakers.
Equifax announced Monday the revised figure, now a total 145.5 million customers, after cybersecurity firm Mandiant completed the forensic portion of its investigation of the breach.
Revising The Figure
The additional affected customers were found as Mandiant completed its “investigative tasks and quality assurance procedures” related to the company’s inquiry.
Equifax notes that Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Additionally, the company says that the review found there was no evidence that attackers accessed databases located outside the U.S.
As for the Canadian residents affected by the breach, Equifax says its previous estimates were inaccurate.
When the company revealed the data breach last month, it noted that up to 100,000 Canadian consumers may have had their personal information breached. Now, however, the company says Mandiant found just 8,000 affected customers in the country.
In the UK, the company says it has finished its forensic investigation, but that data is currently being analyzed in that country.
Equifax says it will mail written notices to the any newly identified hack victims.
“I’m So Sorry”
The revised estimate of affected customers came just hours before now-former Equifax CEO Richard Smith was scheduled to answer questions during the first of four Congressional hearings on the breach.
“To each and every person affected by this breach, I am deeply sorry that this occurred,” Smith said in prepared testimony [PDF]. “The company failed to prevent sensitive information from falling into the hands of wrongdoers.”
Smith then called for the government and private sector businesses to work together to ensure the safety of individuals’ private information.
“Giving consumers more control of their data is a start, but is not a full solution in a world where the threats are always evolving,” he said. “I am hopeful there will be careful consideration of this changing landscape by both policymakers and the credit reporting industry.”
While Smith noted during his testimony that the investigation into the breach is ongoing, he placed blame for the issue on both human error and technology failures. He also provided details of the breach and what led to it via a timeline:
• March 8 — The Department of Homeland Security’s Computer Emergency Readiness Team sent Equifax a notice of the need to patch a vulnerability in the Apache Struts software used in the company’s disputes portal.
• March 9 — The company passed the notification along to personnel responsible for Apache Struts installation, telling them to upgrade the software. Equifax required that the patch take place within 48 hours.
However, “we now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification,” Smith told lawmakers.
• March 15 — The company ran scans of its systems intending to identify vulnerabilities such as those in Apache Struts. The scans did not find the vulnerability, leaving it in the Equifax web application “much longer than it should have.”
“The company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information,” Smith told lawmakers.
• May 13 to July 30 — Per Equifax’s preliminary investigation, May 13 is the first time in which hackers accessed sensitive information. Equifax was not aware of the breach at the time.
There is evidence that attackers continued to access the information via the Apache Struts vulnerability until July 30, according to Smith.
• July 29 — Equifax’s security department first observed suspicious network traffic associated with the company’s consumer dispute website.
The department investigated and immediately blocked the traffic, Smith said, adding that security personnel continued to monitor the network before taking it offline that day.
• July 31 — Smith was first informed of the breach.
• Aug. 2 — Equifax retained a cybersecurity group to guide the investigation and provide legal and regulatory advice. The company also began working with Mandiant to investigate the issue, and contacted the FBI.
• Aug. 11 — By this time the company determined that hackers may have accessed a large amount of consumers’ personal identifying information.
• Aug. 15 — Smith was informed that consumers’ personal information was breached.
• Aug. 17 — Smith hosted a senior leadership team meeting to discuss the investigation, which had by then found that “large volumes of consumer data had been compromised.”
• Aug. 22 — Smith informed Equifax’s Board leader of the breach.
• Sept. 1 — The first Equifax board meeting was held to discuss the breach and subsequent investigation.
• Sept. 4 — The investigation estimated that 143 million customers were affected by the breach. During this time, Smith contends that the company kept the FBI informed of the information.
• Sept. 7 — Equifax publicly revealed the breach. The release indicated that the breach impacted personal information relating to 143 million U.S. consumers, primarily including names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.
While Smith’s testimony provides additional details on Equifax’s breach, it’s not enough, according to consumer advocates.
Our colleagues at Consumers Union urged lawmakers in a letter [PDF] this week to take action to protect the sensitive information of Americans.
Lawmakers should make data security a national priority and pass legislation that would require companies to adopt reasonable practices to ensure the safety of consumer credit data, the group contends.
“For too long, inadequate federal laws have allowed companies to collect and profit from the use of consumers’ personal information, without consumers’ knowledge or control, and without the incentives to properly steward that information and protect it from criminals,” the letter states.
CU urged Congress to introduce and pass a law that would establish protections such as, strong data security and data breach notification requirements for companies; free security freezes, and better access to fraud alerts for consumers; and stronger controls over the sensitive data that credit bureaus collect and use
Without these protections, millions of Americans are left vulnerable to data breaches.
According to CU, more than 15 million U.S. residents fell victim to identity theft last year, costing them $16 billion.
“Given the unprecedented level of data collection in today’s marketplace, and emergence of new privacy threats every day, now is the time to ensure that all Americans have the data protections they deserve,” the letter states.