In 2017 Equifax confirmed it has suffered a massive data breach, cyber criminals stole sensitive personal records of 145 million belonging to US citizens and hundreds of thousands Canada and in the UK.
Attackers exploited the CVE-2017-5638 Apache Struts vulnerability. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.
The vulnerability was fixed back in March 2017, but the company did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency.
Compromised records included names, social security numbers, birth dates, home addresses, credit-score dispute forms, and for some users also the credit card numbers and driver license numbers.
In March 2018, experts argued the Equifax hack is worse than previously thought, according to documents provided by Equifax to the US Senate Banking Committee the attackers also stole taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
A few weeks later the results of the forensic investigation revealed additional 2.4 Million identities were involved in the security incident.
Chief Executive Mark Begor confirmed that Equifax reached settlement agreements recently with some of the class action lawsuits and government investigators.
“This is a positive step forward for Equifax, as we work to put the 2017 cybersecurity event behind us,” he explained.
According to Begor, the settlement terms include the creation of a single “consumer redress fund” to respond and consolidate redress requests.
“There are still many other lawsuits outstanding.” reported the website Wabe.org. “The company has said hundreds of suits were filed against it since the breach, including more than 2,500 individual consumer plaintiffs, international and domestic class action suits, shareholder litigation and government lawsuits from states and cities.”
In June 2018, Equifax agreed to the Consent Order from some state banking regulators, many governmental agencies and officials are still investigating the breach.
“The company said earlier this year that the Consumer Financial Protection Bureau and Federal Trade Commission had told Equifax the agencies do “intend to seek injunctive relief damages and, with respect to the CFPB, civil money penalties against us based on allegations related to the 2017 cybersecurity incident.”” continues the Wabe site.
Expert believe that Equifax must be punished with exemplary penalties that have to incentivize the credit bureaus to protect consumer data.
“Equifax still hasn’t paid a price two years after losing the financial DNA of 150 million Americans,” said Mike Lit, a national campaign director at the consumer advocate, U.S. Public Interest Research Group. “That’s why we need strong oversight and meaningful financial penalties to incentivize the credit bureaus to protect our data.”