Connect with us

Hi, what are you looking for?

Cyber Security

Equifax finalizes data breach settlement with US regulators

Credit reference agency Equifax has finalized a settlement for a 2017 data breach that affected more than 147 million US citizens and 15 million Brits.

Equifax first admitted the massive breach in September 2017. Names, Social Security numbers, birth dates, addresses as well as driver’s license details of more than 10 million individuals were exposed after attackers used a known vulnerability to break into Equifax’s databases.

The breach exposed the credit card data of a smaller subset of around 209,000 victims.

An estimated 15 million British citizens were affected by the incident, of which 694,000 had sensitive data exposed. A smaller number of Canadians were also affected.

Subsequent computer forensics work revealed attackers had access to Equifax systems between May and July 2017, when the breach was detected and resolved.

The root cause of the attack was a critical Apache Struts vulnerability, discovered and resolved in March 2017, that was left unresolved on at least one web-facing Equifax server.

Attackers took advantage of an unpatched Apache Struts installation to hack into Equifax’s dispute resolution portal.

This compromised server acted as a springboard that allowed hackers to access Equifax’s internal systems before stealing credentials that allowed them to query its databases.

Database queries were stored in compressed files that were slowly and systematically siphoned off.

In February 2020, US authorities unsealed an indictment charging four named members of the Chinese military with the cyber-attack.

The quartet – alleged members of the PLA 54th Research Institute – were served with a nine-count indictment, as detailed in a US Department of Justice statement on the case. The Chinese authorities deny any involvement in the hack.

Global settlement

Equifax has agreed to a global settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau, and 50 US states and territories.

The settlement includes up to $425 million to help people affected by the data breach, as explained in an update from the FTC.

A portion of this figure is earmarked to cover losses and expenses – legal and otherwise – incurred by victims of identity theft and fraud, while some will likely go towards covering credit monitoring services and the remainder going to claimants who stake their claim before a January 2020 deadline.

The Daily Swig asked the FTC to offer an estimate on the number of claimants and the payouts each is likely to receive. No word back yet, but we’ll update this story as and when more information comes to hand.

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/equifax-finalizes-data-breach-settlement-with-us-regulators

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The cyberattack that ultimately led to the breach of several U.S. officials’ email accounts was the result of a China-based threat actor accessing a...

Cyber Security

Zero Trust Data Access (ZTDA) constitutes a fundamental aspect of the wider Zero Trust security framework, which entails limiting data access. The Zero Trust security approach...

Cyber Security

The well-known watch manufacturing company Seiko disclosed the data breach notification recently on Aug 2023, targeted by the notorious threat group BlackCat/ALPHV. BlackCat/ALPHV Group has been...

Cyber Security

Privileged users typically hold crucial positions within organizations. They usually have elevated access, authority, and permission levels in the organization’s IT systems, networks, applications,...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO