In a rare move, the U.S. Federal Trade Commission on Thursday confirmed that it has opened an investigation into the data breach at Equifax that compromised the sensitive personal information of 143 million U.S. consumers.
The FTC announcement came less than a week after Equifax revealed that an unknown party had gained access to names, addresses, Social Security Numbers and other data belonging to nearly half the U.S. population. An unknown number of Canadian and UK consumers were directly impacted by the breach as well.
Along with personal information, the attackers stole more than 209,000 customer credit card numbers and nearly 190,000 credit dispute files.
Equifax hired an outside cybersecurity firm to investigate and contacted law enforcement to look into the incident, it said.
Twisting the Knife?
Equifax triggered a severe backlash following news of the breach for what critics have characterized as an attempt to make money from consumers seeking to find out if their identities were stolen, and to prevent them from participating in any future legal action against the firm.
Offers to sell the stolen consumer information reportedly have turned up on the Dark Web.
“The FTC typically does not comment on ongoing investigations,” said Peter Kaplan, acting director, public affairs.
“However in light of the intense public interest and potential impact of the matter, I can confirm that FTC staff is investigating the Equifax data breach,” he told the E-Commerce Times.
The agency also warned consumers to be on the alert for phone scams — for example, someone pretending to be from Equifax in an effort to trick people into providing personal data.
The Apache Software Foundation on Thursday confirmed that the data breach was due to Equifax’s failure to patch a vulnerability related to Apache Struts, an open source framework for creating enterprise-level Java Web applications.
Apache Struts powers Internet of Things and front and back-end applications for many of the leading technology service providers, telecoms, financial institutions and government agencies.
The unpatched vulnerability was linked to CVE-2017-9805, based on an analyst report that was traced to information reportedly provided by an Equifax source.
Minority Leader Chuck Schumer, D-N.Y., blasted Equifax on the floor of the U.S. Senate, calling the incident one the “most egregious examples of corporate malfeasance since Enron,” and called for Senate hearings on the matter. He also demanded resignations from the CEO and board members if immediate reforms are not implemented.
“When you’re a credit agency like Equifax, you have two principal jobs: calculating and reporting accurate credit scores, and protecting the sensitive information of individuals that are funneled through that process,” he said. “Equifax stunningly and epically failed to perform one of its two essential duties as a company, to protect the sensitive information of the people in its files.”
Possible Legal Action
Equifax faces potential legal liability on a couple of fronts, said Seth Berman, a former Department of Justice attorney who now specializes in cybersecurity issues at the Nutter law firm.
The FTC has broad authority to investigate data breaches, he told the E-Commerce Times, particularly given the fact that Equifax is a credit reporting agency that deals with consumer finances, and also since Equifax has been caught up in past investigations by the agency.
State attorneys general also will look into the breach, Berman said, noting that New York AG Eric Schneiderman already has announced an investigation.
Equifax could see a spate of class action civil suits from consumers and shareholders, as well as a probe by the Securities and Exchange Commission.
“More often than not, we are seeing breaches as a result of an organization’s failure to implement Security 101 principles — proper patch management, secure software development, processes and procedures,” said Leigh Anne Galloway, cybersecurity resilience officer at Positive Technologies.
“It’s the basic things that organizations fail to do again and again,” she told the E-Commerce Times.
A number of Apache Struts vulnerabilities recently have been identified, Galloway noted, including a number of flaws Cisco uncovered in the open source framework just a week ago.
In the Equifax case, attackers were allowed to execute arbitrary code on a server by manipulating the Content-Type HTTP header, she said.
Equifax and other companies in 2012 agreed to pay US$1.6 million to settle the FTC’s charges that the company had sold lists of customers who were late on their mortgage payments.
Equifax itself agreed to pay $393,000 to settle claims that it sold data from 17,000 prescreened late-paying consumers to firms, including Direct Lending Source, which then resold that information to other firms.