As reported yesterday, the credit reporting agency Equifax was hacked by unknown attackers. Now, it is being reported that the credit giant has been slapped with a multi-billion-dollar lawsuit over the data breach in which personal details of 143 million consumers was stolen – This is over 40% of the entire population of the United States.
In a complaint filed by plaintiffs (PDF) Brook Reinhard and Mary McHill (both had their data with Equifax) in the federal court in Portland, Oregon; Equifax has been accused of not implementing proper security measures to protect the consumer data to save money rather than spending on security.
“Plaintiffs file this complaint as a national class action on behalf of over 140 million consumers across the Country harmed by Equifax’s failure to adequately protect their credit and personal information. This complaint requests Equifax provide fair compensation in an amount that will ensure every consumer harmed by its data breach will not be out-of-pocket for the costs of independent third-party credit repair and monitoring services,” the complaint reads.
Remember, the stolen data includes names, addresses, birth dates, driver’s license numbers, credit card numbers of 209,000 consumers and dispute documents of 182,000 U.S. consumers. The data also included details of some Canadian and British residents.
All this was possible due to a “U.S. website application vulnerability to gain access to certain files.”
In an email conversation with Fleming Shi, SVP Technology at Barracuda Networks said that “This breach is a like a Category 5 hurricane in the cyber world, affecting at least one-third of the U.S. population. The lasting impact from the breach will go on for years. Although web applications attacks are common, there are two variations that may be relevant to this incident.”
“1: In one instance, a company hosts software that is vulnerable to content injection or privilege escalation attacks. This vulnerability can easily be exploited, once discovered, as not every site is setup for auto updates.
2: In the second instance, web applications or website code is independently vulnerable and subject to various well application-level attacks. In such cases, if software exhibits vulnerability to common attacks like SQL injection, XSS, Buffer, or overflow, this puts an organization at serious risk.”
“Web Applications vulnerabilities continue to be a critical exposure for many large organizations. Attackers have gotten more sophisticated at probing for flaws in the underlying frameworks that many of these applications are built on top of which can lead to widespread security exposures even for organizations with mature security programs and secure coding practices in place – As companies continue to pursue more rapid application development capabilities they need to ensure their security program keeps pace and travels at a similar speed,” said Mike Cotton, Vice President of Research and Development at Digital Defense, Inc.
Currently, the law enforcement authorities are investigating the issue however one cannot deny it is a difficult situation for Equifax. First the data breach and now a multibillion-dollar lawsuit.