Em­bat­tled Equifax faces an­other se­cu­rity is­sue

There was no breach of site af­ter fraud­u­lent up­dates, of­fi­cials say.

The Atlanta Journal-Constitution - - FRONT PAGE - By Michael E. Kanell mkanell@ajc.com

In what at first looked like yet an­other in­ci­dent of hack­ing, Equifax has taken down a web page be­cause of sus­pi­cion that it was ma­nip­u­lated.

The site, one of the em­bat­tled com­pany’s cus­tomer ser­vice of­fer­ings, was de­liv­er­ing fraud­u­lent up­dates for Adobe Flash, which — when clicked — would

in­fect a vis­i­tor’s com­puter with un­wanted soft­ware, ac­cord­ing to the tech­nol­ogy web­site Ars Tech­nica.

Thurs­day morn­ing, Equifax of­fi­cials con­firmed that they had taken down the web page and said they were in­ves­ti­gat­ing.

But late in the day, the com­pany is­sued a state­ment as­sert­ing that no breach had oc­curred — al­though it did not deny that there had been unau­tho­rized ac­tiv­ity.

Equifax is not only in the pub­lic eye, it is in the crosshairs for hack­ers, too, said Paige Schaf­fer, pres­i­dent of the iden­tity and dig­i­tal pro­tec­tion unit at Gen­er­ali Global As­sis­tance. “The amount of pub­lic scru­tiny that Equifax has re­cently ex­pe­ri­enced has likely made them more of a tar­get for hack­ers try­ing to take ad­van­tage of any vul­ner­a­bil­i­ties that may still ex­ist.”

The At­lanta-based com­pany first an­nounced a breach on Sept. 7 that it even­tu­ally said in­volved in­for­ma­tion on about 145 mil­lion peo­ple.

On Tues­day, the Wall Street Jour­nal quoted “peo­ple fa­mil­iar with the mat­ter” in a news ar­ti­cle say­ing driver’s li­cense data for 10.9 mil­lion Amer­i­cans was in­cluded in that breach.

Thurs­day’s de­ci­sion to take down the web­site was a pre­cau­tion, Equifax said. “De­spite early me­dia re­ports, Equifax can con­firm that its sys­tems were not com­pro­mised and that the re­ported is­sue did not af­fect our con­sumer on­line dis­pute por­tal,” the com­pany said.

More omi­nously, the site had re­quired some vis­i­tors to en­ter their So­cial Se­cu­rity num­bers.

The Equifax state­ment did not specif­i­cally ad­dress the ques­tion of whether in­for­ma­tion en­tered by vis­i­tors to the site might now be at risk.

Equifax said the prob­lem in­volved con­nec­tions us­ing the Equifax site. “The is­sue in­volves a third-party ven­dor that Equifax uses to col­lect web­site per­for­mance data, and that ven­dor’s code run­ning on an Equifax web­site was serv­ing ma­li­cious con­tent,” said the com­pany state­ment.

The com­pany has re­moved the ven­dor’s code and the web­page re­mains off­line “to con­duct fur­ther anal­y­sis.”

Hours be­fore the Equifax state­ment, Ars Tech­nica had re­ported that in­de­pen­dent as­sess­ments from re­searchers that in­di­cated the prob­lem had been com­ing from “a third-party ad net­work or an­a­lyt­ics provider.”

That did in­deed mean that the prob­lem might not ac­tu­ally be on the Equifax web­site, Ars Tech­nica wrote. “But even if that’s true, the net re­sult is that the Equifax site was ar­guably com­pro­mised in some way, since ad­min­is­tra­tors couldn’t con­trol the pages vis­i­tors saw when try­ing to use key func­tions.”

Af­ter sev­eral years of breaches — al­though none so deep in data as that at Equifax — con­sumers should as­sume that much of their per­sonal in­for­ma­tion is “out there,” said Matt Schulz, se­nior industry an­a­lyst for Cred­itCards.com.

Yet about 20 per­cent of adults have never checked their credit, ac­cord­ing to the com­pany’s re­search, he said. “This new an­nounce­ment from Equifax is just Rea­son No. 10,000 why con­sumers should as­sume their per­sonal in­for­ma­tion is al­ready out there and act ac­cord­ingly. It’s a scary thing to wrap your brain around, but the truth is that you’re bet­ter off as­sum­ing the worst and tak­ing steps to pro­tect your­self.”

Also Thurs­day, Hy­att Ho­tels said pay­ment card in­for­ma­tion had been hacked at a num­ber of lo­ca­tions in spring and early sum­mer.

Hy­att said 41 prop­er­ties were af­fected in 11 coun­tries, in­clud­ing seven in the United States: three in Hawaii, three in Puerto Rico and one in Guam.

News about the mas­sive Equifax breach made the once-ob­scure com­pany a house­hold name — and not in a good way.

Two ex­ec­u­tives sold stock af­ter the breach was dis­cov­ered — but be­fore it was an­nounced. Two top ex­ec­u­tives abruptly re­tired. So did Richard Smith, the com­pany’s chief ex­ec­u­tive, who was called be­fore Congress any­way to face bi­par­ti­san cen­sure.

One of the more stri­dent crit­ics, Sen. El­iz­a­beth Warren, D-Mass., on Thurs­day sent a let­ter and a list of 79 ques­tions to Smith.

Among her re­quests, were at­tempts to get more de­tails about the ex­tent of the breach and the com­pany’s re­sponse, the fail­ure to pro­tect con­sumer data, the com­pany’s se­cu­rity strat­egy and ques­tions about ig­nor­ing pre­vi­ous warn­ings.

”At your hear­ing, you stated that the hack was the re­sult of both hu­man and tech­no­log­i­cal er­rors,” wrote Warren, who made her name at Har­vard as a critic of the fi­nan­cial sys­tem. “You failed to de­scribe in de­tail how these er­rors oc­curred or what safe­guards, if any, Equifax had in place to pre­vent or mit­i­gate such er­rors.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.