PII Part 2

00:01

Hello and welcome to Cyberia Intermediate Data Security Course P I. I. I'll be instructor Dustin Perry.

00:08

In today's video, we're going to continue our discussion on P I I with a case study of the Equifax data breach. So let's go and get started.

00:19

Equifax, which is one of the three largest consumer credit reporting agencies of the United States, announced in September of 2017

00:27

that it systems had been breached and the sensitive personal data of 148 million Americans had been compromised.

00:35

The data breach to include included names, home addresses, phone numbers, dates of birth, Social Security numbers and driver's license numbers.

00:45

The credit card numbers of approximately 209,000 consumers were also breached.

00:50

The Equifax breach is unprecedented in scope and severity.

00:55

There have been larger security breaches by other companies in the past,

00:59

but this sensitive sensitivity of the personal information held by Equifax and the scale of the problem makes this breach unprecedented.

01:07

Currently, Equifax is looking to pay upwards of $700.700 million dollars in the data breach case.

01:17

On September 7th 2017

01:19

Equifax announced that it had breached the data of approximately 143 million U. S. Consumers.

01:26

The same announcement stated that some U. K and can Canadian consumers have been affected as well, but diggin DOT but did not give a specific number.

01:34

The company stated that the unauthorized access occurred from mid May through July 2017.

01:42

The hackers did not access data from Equifax's core consumer credit reporting databases,

01:47

but from the company's US online dispute portal Web application.

01:51

Some of the data it breached included names, Social Security numbers, birth dates, addresses and driver's license numbers.

01:59

The vulnerability that caused the breach was the vulnerability. Apache struts CE 2017-5638

02:07

Apache struts is a popular framework for creating Java Web applications, and it's maintained by the Apache Software Foundation.

02:15

The foundation issued a statement announcing the vulnerability and released a patch on March 7th, 2017

02:23

the following day,

02:25

So March 8th, the Department of Homeland Security contacted Equifax, Experian and Transition Trans Union to notify them of the vulnerability.

02:35

On March 9th 2017

02:37

an internal email notification was sent to Equifax administrators directing them to apply the Apache patch.

02:46

Equifax's Information security department ran scans on March 15

02:50

2017 so about a week later

02:53

that were meant to identify systems that were vulnerable to the Apache struts issue.

02:57

But the scans did not identify the vulnerability.

03:00

This vulnerability was then left unpatched until July 29th when Equifax's Information Security Department discovered suspicious network traffic

03:09

associated with its online to speak portal and at that time applied the patch.

03:15

On July 30th Equifax observe further suspicious activity and took the Web application off line

03:23

three days letter. The company hired cybersecurity for Mandy in to conduct a forensic investigation of the breach.

03:29

The investigation revealed that the data of an additional 2.5 million U. S consumers had been breached, bringing the number of total Americans affected to approximately 145.5 million.

03:43

Equifax disclosed in the same announcement that approximately 8000 comedians have been impacted and stated that the frantic investigation related to the UK consumers have been completed, but did not state the amount of UK consumers effective.

03:55

Later, announcement from Equifax stated the data of 693,000 UK citizens was breached.

04:03

Even worse than the at actual breach was Equifax's response to the breach

04:10

Brian Krebs called Equifax's public outreach. After the breach. Haphazard, ill conceived and a dumpster fire,

04:17

Equifax created a separate domain,

04:20

Equifax Security 2017 dot com.

04:24

And they wanted consumers to use this domain to find out if their data was stolen.

04:29

This was flagged by most browsers as a fishing threat because it's a new register domain.

04:33

A developer by the name of Nick Sweeting bought security. Equifax 2017. So just foot plot the words around to demonstrate how easy it is to imitate and set up actual fishing in tax.

04:46

Then Equifax's Twitter page accidentally tweet her link to these spoof site.

04:51

Consumers who contacted Equifax in the immediate wake of the breach

04:57

to ah freezer credit were given pins that correspondent to the date and time of the freeze, which made them easier to guess.

05:05

Equifax strongly advised people to sign up for their credit monitoring service, trusted i d premier. But in doing so, consumers agreed to the terms of use with a mandatory arbitration clause.

05:17

After public outcry that Equifax was forcing consumers to give up their right to sue, the company issued a press release explaining that the arbitration clause would not applied to claims arising from the security breach.

05:29

This home s is in a really good example of why you need to do everything in your power to keep data safe. Whether that's P I p h i or P C I data, all data needs to be protected.

05:46

And this is kind of ah, really open ended quiz question. But what do you think Equifax could have done to help Better protect our data?

05:57

Obviously, the first thing that comes to mind for me is they were notified of the patch in March

06:02

and they did not apply it until July. That's a long time for a patch to go completely unpatched. There was a lot of things that they kind of messed up on, But that's the first thing that comes to mind. If that patch would have been applied, the chances of the breach were a lot lower.