UPDATED 23:21 EDT / SEPTEMBER 13 2017

INFRA

It turns out other credit agencies besides Equifax could be hacked too

Other credit reporting agencies were exposed to the same security vulnerabilities exploited in the Equifax Inc. hack as the comedy of errors at the company continues to compound.

News that Experian and AnnualCreditReport.com – an organization set up by Equifax, Experian Information Solutions Inc. and TransUnion LLC — were exposed to the Apache Struts2 vulnerability used in the Equifax hacks comes via U.K. security researcher Kevin Beaumont. On his blog, Beaumont wrote that not only were the companies wide open to being attacked but he also provided details of the vulnerability in March.

It gets even worse. Beaumont noted that XSS.cx, a security reporting site, also logged the Apache Struts2 vulnerability on both Experian and AnnualCreditReport.com around the same time — complete with a Common Vulnerabilities and Exposures reporting number — and informed the companies directly. Put simply, both were told that they were exposed to the vulnerability in March and failed to act on the information.

“All of this raises serious questions,” Beaumont writes. “When were these servers patched? What information was accessed? If consumer information was accessed, have they been notified?”

It’s unknown whether data has been stolen from Experian and AnnualCreditReport.com, but Beaumont’s question is relevant: If the data was there for the taking as it was with Equifax, was it also accessed and stolen?

The news that other credit reporting agencies were exposed to hacking comes on the same day the whole Equifax hacking story keeps on giving: A server used by the company’s Argentinian operation is so badly secured that anyone could obtain access using a default server username and password.

First reported by Brian Krebs, the problem is a server that was found to allow full access to its back end using the username/password combination of “admin/admin.” The data accessible included employee records and up to 14,000 records pertaining to customers who have had dealings with Equifax in the country.

It’s not clear whether any of the data from Equifax Argentina has been stolen. But at the time of its initial hack disclose, Equifax did say that data had been stolen from customers outside the U.S., including Canada and the U.K., so it’s quite possible Argentina could soon be on that list as well.

Photo: HypnoArt/Pixabay

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.