Equifax, one of the three major credit reporting agencies in the United States, announced that hackers broke into its systems and gained access to the personal information of more than 143 million consumers. That’s almost half of the U.S. population and likely more than half of U.S. adults who have a credit history.
The exposed data includes names, Social Security numbers, birthdates and driver’s license numbers. The credit card numbers of 209,000 individuals have also been exposed, as well as 182,000 dispute documents, which contain additional personal information.
According to Equifax, the breach happened in mid-May and was discovered July 29. Attackers broke in by exploiting a vulnerability in one of the company’s U.S. websites.
Aside from its size and the high risk of fraud to individuals, this breach also stands out because it hit a company that offers identity theft protection services, so it’s very aware of security threats and should have been prepared to fend off attacks.
Equifax set up a dedicated website with information about the incident and is offering consumers a free one-year subscription to its TrustedID Premier identity theft protection service.
“This is a prime example that attackers are going to be able to get in no matter what steps a company puts in place, and as one of the big three reporting agencies Equifax should know that and be prepared,” said Brian Vecci, technical evangelist at data protection firm Varonis. “While we don’t have the details at this point, it’s possible that when the attackers got in through a website exploit they may have been able to escalate privileges and behave like an insider. Few companies monitor access to sensitive files, so when attackers breach the perimeter, they can take whatever they want for weeks or months before anyone notices.”
“It’s a very colorful, albeit very sad, example how a vulnerability in a web application can lead to disastrous consequences for an entire company, its customer base and far beyond,” said Ilia Kolochenko, CEO of web security firm High-Tech Bridge. “Today, almost any critical data is handled and processed by web applications, but cybersecurity teams still seriously underestimate the risks related to application security.”
Malware Detection Bypass in Cisco Email Security Appliance
Cisco Systems alerted users of its Email Security Appliance (ESA) of a vulnerability that could allow attackers to bypass the product’s detection rules and deliver malicious email attachments to users.
The flaw is located in the Advanced Malware Protection (AMP) component of the Cisco AsyncOS software, which runs on both virtual and hardware ESA variants. The issue causes AMP to fail to scan certain EML attachments that could contain malware.
“An attacker could exploit this vulnerability by sending an email with a crafted EML attachment through the targeted device,” Cisco said in a security advisory. “A successful exploit could allow the attacker to bypass the configured ESA email message and content filtering and allow the malware to be delivered to the end user.”
There is no known workaround to prevent this problem, so users are encouraged to upgrade to the latest version of AsyncOS for their appliance.
Samsung Launches Bug Bounty Program for Mobile Devices
Samsung is the latest device manufacturer to launch a vulnerability reward program for its products. The company is ready to pay security researchers up to $200,000 for security flaws found its mobile devices, as well as accompanying mobile services and applications developed by the company.
The products covered by Samsung’s new bug bounty program include those in the Galaxy S series, Galaxy Note series, Galaxy A series, Galaxy J series and Galaxy Tab series and the rewards will range from $200 to $200,000.
Flaws will be evaluated according to four severity levels—low, moderate, high and critical—with higher payouts being offered for flaws that have a greater impact and risk. The top rewards will go to vulnerabilities in the Trusted Execution Environment (TEE), the vault used to store cryptographic secrets and other sensitive data, and to vulnerabilities in the secure bootloader, which ensures that the OS has not been modified.