Remember the Equifax breach? The major security havoc affected one of the largest credit reporting companies operating in the USA. As a result of the malicious intrusion, cybercriminals were able to obtain information on millions of users worldwide. The data breach, which happened between 13 May and 30 July 2017 in the US, affected 146 million customers on a global scale.
UK’s Information Commissioner’s Office (ICO) Imposed £500,000 Fine
Now, the company has been issued a fine in the size of £500,000 due to the data of 15 million UK citizens which was compromised in the breach. The UK’s Information Commissioner’s Office (ICO) imposed the fine after an investigation into the catastrophic breach, their report said.
The ICO investigation found that, although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers. The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information.
Equifax hackers were able to compromise private servers of the company. The following types of data were extracted: social security numbers (SSN), addresses, date of birth, driver license numbers and payment card details of approximately 209 000 US citizens. In addition, the criminals obtained other types of documents that also contain identifying information, such listings of about 182 000 consumers were accessed. Private data on Canadian and British residents was also stolen.
The data breach was caused by an exploitation of an Apache Struts vulnerability CVE-2017-5638, a patch for which wasn’t applied in a timely manner. It affected mostly US citizens. However, data of 15 million UK citizens was also compromised. As it appears, the UK arm of Equifax failed to ensure that its American parent which was processing the data on its behalf, was safeguarding the information.
According to an investigation conducted with the help of the Financial Conduct Authority (FCA), Equifax failed on “five out of eight” data principles under the Data Protection Act 1998. Moreover, under UK legislation, Equifax failed to secure personal data and had in place poor retention practices. On top of that, there was also the lack of legal basis for international transfers of UK citizens’ data.
Here’s the place to mention that security researchers recently discovered a vulnerability that could be worse than CVE-2017-5638. This vulnerability is tracked as CVE-2018-11776 and is residing in Apache Strut’s core functionality. It is a remote code execution vulnerability that affects all supported versions of Apache Struts 2.