Equifax confirms it suffered a separate data breach in March

Another 2.5 million Americans may have been affected by the Equifax breach

Following the massive data breach that Equifax disclosed to the public in early September, news of a second, earlier attack at the credit agency has emerged. Although originally just a rumor from anonymous sources, on September 19, Equifax confirmed the secondary hack, which took place in March, though the firm denied it had anything to do with the larger hack. Adding insult to injury, Equifax has now inadvertently contributed to a phishing campaign by sending its customers to a phishing site rather than its own breach notification portal.

The chain of events so far

As originally reported by the New York Times, the first cyberattack we learned about occurred sometime between the middle of May 2017 and July 29 when the intrusion was discovered. What makes the Equifax attack particularly troublesome is the company’s status as a central clearinghouse for sensitive credit-related information including social security numbers, driver’s license numbers, and other data that can be used in a variety of ways to harm those affected.

The earlier data breach at Equifax is said to have taken place in March and though Equifax claims that this earlier hack had nothing to do with the hack that took place later in the year, some anonymous sources have said otherwise. In both cases, however, Equifax took on the services of digital security company Mandiant to investigate.

On October 2, Equifax announced that Mandiant had completed its forensic investigation regarding the September 7 breach, and that an additional 2.5 million Americans may have been impacted by the hack. This brings the total number of folks affected to 145.5 million. However, Mandiant did not find any further evidence of new hacking activity. Furthermore, it would appear that the impact of the breach did not extend beyond North America — about 8,000 Canadians (not 100,000 as previously thought) may have been affected as well.

“I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released,” newly appointed interim CEO, Paulino do Rego Barros, Jr. said. “Our priorities are transparency and improving support for consumers. I will continue to monitor our progress on a daily basis.”

In written testimony, former CEO Richard Smith told the Energy and Commerce Committee, “It appears that the breach occurred because of both human error and technology failures.”

Recently, adding insult to injury, the Equifax Twitter account recently sent customers to the site “securityequifax2017.com,” a bogus site that clearly plays off the real site’s web address: equifaxsecurity2017.com. The tweet, naturally, has since been removed, but this isn’t the first time the Equifax has sent people to the phishing site. Note that Google Chrome now flags the fake site as deceptive.

equifax data breach affects 143 million americans deceptive site
Mark Coppock/Digital Trends
Mark Coppock/Digital Trends

What data was stolen?

Although at this point it appears unlikely that any more personal information of Equifax customers was stolen in the original hack, it raises serious questions about the firm’s response. It’s possible that the law required Equifax to reveal information about it far sooner than the firm did and this development shines an even harsher light on some of the suspicious stock sales made by Equifax executives in August.

The U.S. Department of Justice has opened a criminal investigation into the stock sales, according to Bloomberg sources.

While the Equifax breaches aren’t the largest in terms of the number of victims — Yahoo’s attacks involved more people, and the HBO one dumped more spoilers — it’s of concern because of the kind of personal information that was stolen. Examples of sensitive information include 209,000 credit card numbers, personal information relating to credit disputes for 182,000 victims, and data that could be further used to access medical histories, bank accounts, and more.

On September 15, Equifax released more information about the hack, and also noted that two senior executives — the Chief Information Officer and Chief Security Officer were “retiring.” Given recent events, however, there is likely more to the story than mere retirement. Equifax further revealed that its internal investigation is still ongoing and that the company “continues to work closely with the FBI in its investigation.” Thus far, it’s been revealed that Equifax first noticed suspicious activity on July 29, 2017, but waited until August 2 to contact a cybersecurity firm and conduct a “comprehensive forensic review.”

As Pamela Dixon, executive director for the nonprofit research group World Privacy Forum, said in a statement that “This is about as bad as it gets. If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”

What’s to be done about it?

According to a press release issued by the office of Senator Mark Warner (D. Virginia), the Equifax attack raises important questions about the role of government in responding to the ongoing threat to personal information.

“While many have perhaps become accustomed to hearing of a new data breach every few weeks, the scope of this breach – involving Social Security numbers, birth dates, addresses, and credit card numbers of nearly half the U.S. population – raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans.”

In calling such attacks “a real threat to the economic security of Americans,” it’s likely that Warren and other government officials will push for legislation creating stronger consumer protections from data theft. Warner has been working on developing just that sort of legislation, and that’s likely to accelerate.

Equifax will also be mailing written notices to all potentially impacted U.S. consumers, and the online tool folks can use to determine their risk has also been updated.

“I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements,” Barros added in early October.

Go to equifaxsecurity2017.com to learn more about the attack, find out if you’re affected, and enroll in free identity theft protection and file monitoring services.

Updated: Equifax has learned that an additional 2.5 million Americans may have been affected by the breach. 

Mobile

Apple Card is a credit card you can sign up for and start using with your iPhone

Apple is getting into the credit card business. Apple Card is a credit card you can sign up for directly on your iPhone, and it doesn't have fees. There's a lower interest rate and you can even get Daily Cash from all purchases.
Computing

Own an Asus computer? Malware might be hiding in your system

If you own an Asus computer, your system might have been infected by malware distributed from the tool you typically use to update the BIOS and install other security patches, according to a new report by cybersecurity firm Kaspersky Lab.
Home Theater

Kanopy privacy breach reveals which movies members have been streaming

Free video streaming site, Kanopy, has been inadvertently publishing millions of lines of web log data for days, according to a new security report. A bad actor could guess a person's identity and see what they've been watching.
Social Media

Facebook axes alleged discriminatory targeting of ads after civil settlements

Facebook advertisers can no longer use targeting for age, gender or zip code when advertising in the housing, jobs, and credit categories. The changes come as part of a civil settlement, following earlier changes to remove racial targeting.
Computing

You don't have to spend a fortune on a PC. These are the best laptops under $300

Buying a laptop needn't mean spending a fortune. If you're just looking to browse the internet, answer emails, and watch Netflix, you can pick up a great laptop at a great price. These are the best laptops under $300.
Computing

Dodge the biggest laptop-buying mistakes with these handy tips

Buying a new laptop is exciting, but you need to watch your footing. There are a number of pitfalls you need to avoid and we're here to help. Check out these top-10 laptop buying mistakes and how to avoid them.
Computing

Amazon sale knocks $200 off the price of 13-inch MacBook Pro with Touch Bar

If you always wanted to buy a MacBook Pro but found it a bit too expensive, now is your chance to save. A base version of the 13-inch MacBook Pro with Touch Bar is currently on sale at Amazon for $1,600.
Computing

Keep your laptop battery in tip-top condition with these handy tips

Learn how to care for your laptop's battery, how it works, and what you can do to make sure yours last for years and retains its charge. Check out our handy guide for valuable tips, no matter what type of laptop you have.
Computing

Is it worth spending more for the Surface Pro, or is the Surface Go good enough?

The Surface Go vs. Surface Pro — which is better? While the higher price tag of one might make you think it's an easy choice, a deeper dive into what each offers makes it a closer race than you might assume.
Computing

Apple’s 4K 21.5-inch iMac is now $200 off if you pre-order it

Apple's new iMacs are now available and if you pre-order one from B&H you can get the midrange version for $200. That's a near 20-percent saving on one of the most competitive configurations.
Emerging Tech

Microsoft’s latest breakthrough could make DNA-based data centers possible

Could tomorrow's data centers possibly store information in the form of synthetic DNA? Researchers from Microsoft have successfully encoded the word "hello" into DNA and then back again.
Computing

The new Windows 10 File Explorer could look like this in 2020

Microsoft may update Windows 10's File Explorer to adopt Fluent Design principles in an upcoming 2020 update. A report suggests that we'll get our first glimpse at the new-look explorer in upcoming Windows Insider builds.
Computing

Hands-on with Microsoft Chromium Edge: A first look at the early release

We installed a preview of Edge Chromium, and there's now a lot that makes it feel Chrome, but there are also some similarities to the old Edge. So, is the new Chromium Edge the best browser ever? Here's a hands-on look.
Computing

DisplayPort and HDMI both connect to screens, but here's how they're different

HDMI and DisplayPort are two of the most popular connectors for hooking up consoles, gaming PCs, TVs, and monitors, but which is best? To find out, we pitted HDMI vs. DisplayPort and compared their best and worst features.