It wasn't just credit record data that someone made off with when they breached Equifax's website starting in May of this year. The attacker also managed to grab credit card data from transactions involving more than 200,000 credit cards, and some of those transactions dated back as far as November of 2016.
Brian Krebs reports that the credit bureau revealed all this credit card data was taken as the result of a single attack that took advantage of a months-old exploit of the Apache Foundation's Struts framework for Java-based Web applications. Visa and MasterCard both published confidential alerts to banks in their networks this week about the card exposure. Both explicitly blamed Equifax, and Visa linked to Equifax's press release on the breach. The transactions that may have been exposed took place in a period spanning November 10, 2016 to July 6, 2017, according to the Visa notification.
According to Equifax, the breach began in mid-May and was detected on July 29. "The attacker accessed a storage table that contained historical credit card transaction related information," an Equifax spokesperson told Krebs. The company did not respond to questions from Krebs about how the data was being stored.
The exposure suggests that Equifax was either not encrypting stored credit card data or that some component of the company's Java-based software gave the attackers the ability to access decrypted data. Retention of that data would have been in violation of the standards of the PCI Standards Security Council, which requires all stored data to be encrypted.
For consumers, Equifax's credit card data was likely the least damaging of the exposed information. But it does have an impact on banks, which are among Equifax's most important customers for consumer credit data. So, ironically, mishandling of credit card data could end up having more of a negative impact on Equifax than the exposure of critical information about nearly a third of US residents.
reader comments
104