On September 13th, a massive data company called Equifax, announced it had been breached by hackers using a vulnerability in their systems. They stated that the hackers pulled data from the company’s servers from May to July without anyone noticing. Equifax had known about the vulnerability since March of this year, but neglected to fix it. Equifax noticed the data breach on July 29th, forcing them to patch the vulnerability.  Many lawsuits are facing the company for their negligence.  

    Equifax is one of three large data holding companies that stores consumer information such as: credit scores, and purchase history and other sensitive consumer information from websites like Amazon, and they sell that information to banks and ‘lenders’ who can use the information to decide whether to give out loans and mortgages for things like homes and cars to consumers.

    The hackers were able to use an exploit,  a written line of code that attacks a known vulnerability, in this case a vulnerability called Apache Struts CVE-2017-5638. CVE is a reference tool issued by The National Vulnerability Database that maps all known vulns found in any software/hardware/database. Apache Struts refers to a well known Website server hosting program called Apache. Most big companies use nginx, another web hosting server, which is known to be more secure. Vulnerabilities in these web hosting servers are usually found and fixed pretty quickly, but Equifax neglected to fix a problem in their system that they had know about for months, allowing hackers to take advantage of it.

    The exploit gained access to Equifax’s database by using the “Jakarta Multipart parser”, a subprogram in Apache Struts, to trigger an error during file-upload attempts in the system, which allows hackers to run arbitrary commands via ‘crafting’ different types of regular HTTP responses like Content-Type, Content-Disposition, or Content-Length HTTP header, which can be executed easily using a string of HTTP code according to NVD (National Vulnerability Database)

    It is estimated that about 143 million Americans had their data leaked. Hackers were able to pull names, social security numbers, birth dates and driver’s license numbers.  Using this information can pass sturdy identification protection protocols, making it easier for frauded identification to be made. Alongside this info, hackers also gained more than 200,000 American Consumers credit card info as well as 182,000 counts of consumer’s personal information.

    This information is priceless in the black market of stolen information and could be worth millions. Hackers can sell this information to cyber thieves who use it to commit identity theft.  If the breached info gets into the wrong hands, millions of Americans can be at risk of identity fraud through frauders opening bank accounts, lines of credit, new credit cards, and driver’s licenses in the names of the affected consumers.  They can also issue speeding tickets, steal social security checks and steal tax refunds. “The Equifax scandal affects all Americans because no one can be sure who data was breached, this means my parents could be caught in this mess,” said junior James Slawter.

    Currently, Equifax is facing 50 class action lawsuits as well as a count of negligence which could cost Equifax millions. Although this will be a major setback for the company, it is unlikely that it will be company will shut down due to their annual revenue weighing in at about 4.3 billion dollars.