Equifax Australia ‘not compromised’ by security breach

Earlier this month, US-based company Equifax Inc. announced a cyber security incident that could have impacted up to 143 million consumers.

According to the company, “criminals exploited a US website application vulnerability to gain access to certain files”.

The company has since revealed that there were occurrences of “unauthorised access” from mid-May through July 2017 due to an attack vector in a “vulnerability” in the Apache Struts (CVE-2017-5638) web application, an open-source application framework that supports the Equifax online dispute portal web application.

The vulnerability was patched and brought online; however, the company found that the incident could potentially involve the names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers of up to 143 million US consumers. 

In addition, credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 American consumers, were accessed.

The breach also involved “unauthorised access to limited personal information for certain UK and Canadian residents”.

There was no evidence found of unauthorised activity on Equifax's core consumer or commercial credit reporting databases.

Equifax has been working with an independent cyber security firm to determine the scope of the intrusion, including the specific data impacted, and is working with authorities to find those responsible for the “criminal access”.

The company operates or has investments in 24 countries. It also owns verification of identity service ZipID in Australia.

However, the company has emphasised that there has been no evidence found of personal information of consumers in any other countries, including Australia and New Zealand, being accessed.

A spokesperson told Mortgage Business: “Equifax Australia and Equifax New Zealand systems were not compromised by the recent cyber security incident in the US. 

“The Equifax US web server that was targeted is not a component of the Equifax Australia or Equifax New Zealand infrastructure, and Equifax has found no evidence that the US cyber security incident impacted personal information of consumers in Australia or New Zealand."

Speaking of the incident in the US earlier this month, Equifax chairman and chief executive officer Richard F. Smith said: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes.

"We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all US consumers, regardless of whether they were impacted by this incident."

He continued: "I've told our entire team that our goal can't be simply to fix the problem and move on. Confronting cyber security risks is a daily fight. While we've made significant investments in data security, we recognise we must do more. And we will."

The company has since announced that its chief information officer, David Webb, and chief security officer, Susan Mauldin, are retiring. 

Mark Rohrwasser, who has led Equifax's international IT operations since 2016, has been appointed interim chief information officer. 

The vice president of the IT organisation at Equifax, Russ Ayres, has been appointed interim chief security officer.

Equifax's internal investigation of this incident is still ongoing and the company continues to work closely with the FBI in its investigation.

[Related: Focus on cyber security from the start]