Page 1036 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1036

gain a foothold into the company’s IT networks, allowing them to

                  launch other attacks in 2017.
                  In September, Equifax announced a data breach that exposed data

                  on about 145.5 million U.S. individuals. The data breach occurred
                  between May and July and exposed data such as first and last
                  names, addresses, birth dates, and social security numbers. About
                  10 to 11 million of these records included driver’s license numbers
                  and credit card numbers for 209,000 U.S. individuals. The data

                  breach also exposed data for as many as 44 million Britain
                  residents and about 8,000 Canadians.

                  In October, the Equifax website was modified by attackers. Some
                  pages redirected users to a different site, offering a malware-
                  infected update for Flash. Some of these acted as drive-by
                  downloads. Users only needed to click the link, and their computer
                  was infected. Other pages encouraged users to download and

                  install a malware-infected file.

                  There’s an important lesson that responsible organizations can
                  learn from these attacks. The May attack was preventable.
                  Attackers took advantage of an Apache Struts web application
                  vulnerability that could have been patched in March. This indicates
                  a lack of a comprehensive patch management program.
                  Additionally, security experts reported that they were able to log

                  into the Argentina Equifax web portal using the account of admin
                  and a password of admin in September. This was after Equifax
                  reported the data breach that occurred in May and July. Lawyers
                  are sure to imply that these are patterns of negligence.



               The Equifax data breach can negatively impact the finances and credit
               ratings of tens of millions of individuals for years to come. It is also
               impacting Equifax directly. Shares dropped 35 percent within a week
               after Equifax officials publicly announced the data breach in

               September. This effectively wiped out about $6 billion of the
               company’s market value. One class-action lawsuit is seeking $70
               billion in damages. The U.S. Internal Revenue Service (IRS) reportedly
               suspended a $7.2 million contract with Equifax after the October
               attack. Additionally, the Federal Trade Commission (FTC) reported
   1031   1032   1033   1034   1035   1036   1037   1038   1039   1040   1041