Equifax, Other Credit Bureaus Acknowledge Data Breach


The three biggest credit reporting agencies in the U.S. each have reportedly acknowledged intrusions into their systems following the revelation of personal data, including financial information, of celebrities and prominent figures on a website this week.

Executives at Equifax, Trans Union and Experian acknowledged the breach to Bloomberg in a report published Tuesday. Tim Klein, a spokesman for Equifax, told the news agency that a hacker gained
"fraudulent and unauthorized access" to at least four consumer credit reports at the credit reporting agency. Credit reports and sensitive data on Paris Hilton, First Lady Michelle Obama, former Secretary of State Hillary Clinton and FBI director Robert Mueller appeared this week on a website called Exposed.

The hacker is maintaining the site using performance and security firm CloudFlare. The San Francisco-based company, which launched in 2010, is known for its decision to defend the website of LulzSec, the group linked to Anonymous. LulzSec used CloudFlare's denial-of-service mitigation capabilities in 2011 when it published information it had allegedly stolen from Sony.

[Related: 5 Most Dangerous New Hacking Techniques]

In 2012, malware and other attacks on financial services firms increased precipitously, said Don Gray, chief security strategist at managed security services provider Solutionary, which manages more than 2,000 organizations, connecting many of them with its ActiveGuard log and event management platform. Attacks on financial institutions more than doubled in the second half of 2012, Gray said, adding threats in 2011 had been relatively flat.

"We've seen a shift in the focus of the attacks," Gray said. "It's not so much focused on the consumer or endpoint side, but more toward the applications for the financial institutions. We're seeing attackers with an increased business-level knowledge about how the applications work and how they function in the real world."

The finance vertical experienced the second-highest attack percentage from non-U.S. source addresses, according to an analysis of the threat landscape issued by Solutionary this week. More than 90 percent of all attacks from China were directed at the business services, technology and finance verticals, the report found. While the vast majority of attacks in the wild are widespread, about 8 percent are targeted attacks and used to infect businesses and financial institution users with the intent to steal money, or data, or just to gain internal access for further exploits, the report found.

The data leak this week is being called a juvenile prank and not necessarily the work of any sophisticated hacker. The credit agencies are not dealing with malware, security experts say, but with the serious problem of properly authenticating users attempting to view their credit report. People post information often used for authentication questions in a variety of places. The information is usually public, posted to blogs, forums and social networks.

Experian told Bloomberg hackers accessed people's personal information using outside information, and Trans Union said "considerable amounts" of information about victims had been used to access the accounts. All three agencies had acknowledged security incidents in the past, mainly driven by weaknesses with access to individual accounts by third-party firms.

"There is enough information out there on the Internet or through other sources that the attackers can find enough information to be able to answer all the standard questions and get properly validated to view a report," said Gunter Ollmann, CTO of security services firm IOActive. "The questions being asked are either too easy to guess or much of the information is in the public realm."

PUBLISHED MARCH 13, 2013