The American company Equifax, based in Atlanta, present in 24 countries, has been the prey of a particularly worrying cyberattack.
Equifax collects and analyzes personal data of customers soliciting a credit. At the beginning of September, the company revealed an intrusion in its database.
This IT hacking could have potentially concerned around 143 million American customers and many others customers soliciting a credit like Canada or Great Britain. The criminals have exploited a breakdown in a web application between mid-May and July. They have obtained names, social security numbers, birthdates, addresses and some driving license numbers. These data theft is really worrying.
This information will facilitate identity fraud and account hacking. In the United States, the social security number is necessary to work, open a bank account or obtain a driving license and usually to rent an apartment. Some data might even be already on sale on the Dark Web (part of the Web non-indexed by general search engines).
This attack directly touches the heart of Equifax’s identity and activity. The company has implemented a website (www.equifaxsecurity2017.com) and a phone number at the disposal of their customers and a security company to evaluate the damages.
All companies should see this attack like a warning. This example is indeed the proof that companies can have difficulty in seeing what is happening inside their own computer networks. New attacks, each day more sophisticated, go more and more unnoticed.
Moreover, Equifax affirms to have discovered the attack on July the 29th. However, the communication done to the customers comes only at the beginning of September: an abnormal delay regarding data protection this sensitive. Today, those data have vanished into thin air.
This large scale hacking is far from being the first one. Last year, the Yahoo group has announced that one billion accounts have been hacked, while other American companies have also been the victims of hacking, like the Adult Friend Finder website, or Target, the distribution group. The thieves didn’t access to social insurance numbers, or driving licensing though.
This attack comes only to strengthen the necessity for companies to consider in their security strategy all the flaws likely to serve as entrance to cybercriminals.