One of the more notorious data breaches in 2017 was the Equifax hack that exposed the private information of roughly 145 million Americans. The Equifax breach is particularly troublesome because of the company’s status as a central clearinghouse for some of the most sensitive information that’s stored online. Now, it appears that the company’s lax security extends beyond basic security and may have made salary and employment information far too easy to access.
The news comes via KrebsonSecurity, which broke the story on October 8, 2017. Apparently, Equifax TALX, a service that is used for automatic verification of income and employment history data that’s used when someone applies for a loan, has utilized authentication procedures that are far too easy to bypass. Simply put, accessing the data is far too easy for anyone with access to information — such as social security numbers and dates of birth — that has been readily available for many people thanks to past data breaches.
The TALX system should only be accessible by credentialed companies such as banks and employers. As KrebsonSecurity discovered, however, many accounts can be accessed merely by entering an employer name and a complete or partial social security number. Then, the PIN that’s requested is in a majority of cases just a date of birth in easily guessed formats. Once validated, some very juicy information is available, including salary and employment history that dates back a decade or more.
Even the system’s advance authentication can be bypassed if the TALX customer failed to fully populate all the relevant information, and in many cases, detailed instructions on how to complete the authentication forms is available online. That makes it far too easy for nefarious parties to guess at how to successfully authenticate and gain access to the system.
If you’re concerned about your information being made accessible to unauthorized parties, then KrebsonSecurity provides a way to help safeguard your data:
“Fortunately, you can reduce the likelihood that an acquaintance, co-worker, stalker or anyone else can do this by claiming your own account, changing the PIN, and selecting a half-dozen security questions and answers. As always, it’s best not to answer these questions truthfully, but to input answers that only you will know and that can’t be found using social networking sites or other public data sources.”
As KrebsonSecurity notes in an update, Equifax has taken the TALX portal down for scheduled maintenance. It’s unknown whether that’s purely coincidental or if it’s in response to the story that was published yesterday. In addition, some commenters on the original story indicated that additional steps are being added that should help, although the data is still too easily accessible for anyone who’s willing to do the necessary research.
