Last Thursday, Equifax, one of three large credit reporting firms, was hacked. Personal details of over 143 million American consumer have been exfiltrated, and are now being sold on the dark markets.
While it is not unusual for big companies to get hacked, or for personal details of the general public to leak, this hack is potentially far more dangerous due to the sheer scope of the hack, the information and the sensitive and flawed nature of the American social security system.
American identities aren’t governed by a central ID system. Outside of a government issued passport, there’s little to secure an individual’s identity. A social security card is not directly attached to a picture, and driver licences, the de facto American ID cards are easily forged, and are issued at the state level.
As a result, the recent Equifax exposes many people to identity theft, as fraudsters can easily pose as anyone whose social security numbers and date of birth they have.
At this point, the only recourse available to anyone looking to protect their identity is to freeze their credit. This is a cumbersome process and often involves a symbolic payment (although Equifax recently announced it would provide free credit freeze services for one month).
Given the type and amount of data, avoiding breaches is almost an impossible task. Making sure that the breach doesn't result in damage, however, is achievable, if expensive. According to Ross Rostici, Cybereason intelligence analyst, to prevent future breaches the data should be broken into several chunks and stored in multiple locations, this prevents the compromise of any one server/cluster resulting in a complete compromise. All data at rest should be encrypted, so even if a hacker can compromise the data storage they aren't going to be exfiltrating any useful information. Finally, anyone accessing these records should be required to use two-factor authentication, preferably with a key fob rather than smartphone given the number of phone number hijacking cases that have been reported over the last year.
The root of the breach could potentially be a vulnerability in the open-source Apache Struts framework, according to reports. The breach is attributed to a flaw discovered by the Struts project in March. Identified as CVE-2017-5638, the flaw has been patched for months. However, in the weeks and months following, hackers were still attempting to exploit anyone who has not yet patched their system.
Other victims of the CVE-2017-5638 flaw include the Canada Revenue Agency.