The Equifax data breach has intensified, revealing that an additional 2.5 million U.S. consumers were affected, raising the total number of potential victims from 143 million to 145.5 million. This data breach, initially reported last month, involves the exposure of highly sensitive personal information, including names, Social Security numbers, birth dates, and addresses.
The breach also compromised credit card details for nearly 209,000 customers and personal identification documents for around 182,000 individuals. The severity and scale of this incident have transformed it into one of the most significant cybersecurity breaches in recent history.
The root cause of the breach was traced back to a critical vulnerability—specifically CVE-2017-5638—in the Apache Struts 2 framework. This vulnerability was known and had been patched more than two months prior to the breach, specifically on March 6. Unfortunately, Equifax failed to address this security flaw in a timely manner, even after being alerted by the U.S. Computer Emergency Readiness Team (US-CERT) on March 8 to apply the necessary updates.
Richard Smith, the former CEO of Equifax, acknowledged in a statement to the House Committee on Energy and Commerce that the breach stemmed from a combination of human error and technological failures. Scanning conducted by the company’s information security department failed to reveal any vulnerabilities related to the Apache Struts issue.
As part of the aftermath, Equifax has enlisted the services of security firm Mandiant to conduct a thorough investigation. Mandiant’s findings have confirmed that a total of 145.5 million consumers might have been impacted, yet they found no evidence of ongoing attacker activity. The firm reported that while the breach extended the number of affected individuals, the additional cases were identified during routine investigative processes rather than through new discoveries of malicious activity.
The investigation has indicated that a smaller number of Canadian consumers—approximately 8,000—were also compromised, a significant reduction from earlier estimates which suggested around 100,000. New interim CEO Paulino do Rego Barros, Jr., has publicly expressed regret over the incident and confirmed the company’s commitment to improving cybersecurity protocols moving forward.
Equifax, which oversees data on over 820 million consumers globally, has indicated plans for further notifications and reviews for its customers by October 8. The company continues its collaboration with internal teams and external cybersecurity experts to intensify its security measures.
In this context, the Equifax breach underscores the vital importance of maintaining robust cybersecurity practices. The incident exemplifies critical tactics within the MITRE ATT&CK framework, particularly in areas such as initial access, where exploitation of vulnerabilities occurs, and persistence, as attackers aim to maintain their foothold within compromised environments. For business owners, the implications of this breach highlight the need for proactive assessments and strategic enhancements to safeguard sensitive data and ensure organizational resilience against such future threats.
