Bad news again from Equifax there has been another cyber security breach. This one, Equifax claims, did not breach their systems. This latest breach involved a fictitious Adobe Flash update that was really adware. The malicious attack was only detected by 3 out of 65 antivirus vendors. While Equifax was confident their databases were not compromised, the new breach and compromise of their portal has shattered what little confidence that was left. The Internal Revenue Service (IRS), who defended their contract with Equifax, has even distanced themselves from the company. The IRS did this by freezing the contract until Equifax is able to prove they’re secure enough to handle sensitive data.
The Latest Data Breach
The notorious Adobe Flash strikes again, well on the surface it would appear so. However, the link is bogus and was appearing every time someone attempted to check their credit report. The breach was discovered by an independent security analyst named Randy Abrams. Abrams happened upon the compromise by accident when he was checking a discrepancy in his credit report. If someone fell for the trick an Adware called Eorezo would install on their computer. The portal took about four redirects to get to the malicious page.
Leading security researchers strongly believe that the breach isn’t necessarily on Equifax’s website, but rather because of a third party analytics firm they work with. In either case. Equifax shut down the webpage and moved quickly to address the vulnerability. However, this was too little, too late. The damage had been done: stock prices dropped, IRS contract frozen, and swift media reporting.
The IRS Contract
Prior to the latest data breach, Equifax had been in the spotlight for allowing one of the worst data breaches in history to happen. This didn’t stop the IRS, at the time, from attempting to go forward with a contract with Equifax. The IRS was so determined to go forward with their Equifax contract that they defended the contract in the face of bipartisan outcry. The IRS’s main defense of the contract was that Equifax’s compromised systems doesn’t impact the ability of a hacker to compromise the systems of the IRS. The IRS also claimed that due to their labeling of Equifax as a “sole source order” that only they can carry out the service that the IRS needs.
This argument failed to convince lawmakers and the IRS already knew it was on thin ice. So when the latest breach happened to Equifax, the contract with the IRS was immediately frozen. Additionally the Government Accountability Office (GAO) made a comment to The Hill that “Congress gave agencies, like IRS, the tools to move forward under appropriate situations. They appear to be electing not to use it.”
Equifax still has the confidence of the market. To some despite the stock price plummeting to a third of what it was valuated to be, some experts still believe Equifax to be overvalued. This signals that the market still bets on Equifax to recover from these incidents. Even if they’re the worst in cyber security history.
The Equifax data breaches may have forced a new cyber security frontier for the financial industry though. Due to the breach fundamentally compromising Social Security Number authentication measures, another form of authentication will have to be found or developed. It may take some time for the new measures to be seen in your day to day life though.
The Equifax breach has certainly laid bare how vulnerable the entire credit and financial systems in the United States are right now. With one private institution, Equifax, now cyber criminals have access to almost every working adult’s information. Such information could be used for fraud or could be used as the basis for another cyber attack on other institutions. In either case it is best to take as many security precautions as possible.