Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Equifax blames Apache vulnerability, Canada’s privacy chief weighs in on breach
SECURITY

Equifax blames Apache vulnerability, Canada’s privacy chief weighs in on breach 

The firm said that its investigation has revealed that the attackers used a vulnerability in Apache Struts CVE-2017-5638 to gain access to Equifax’s network and steal the financial and personal data of more than 143 million U.S. customers. The breach, which occurred through mid-May and July this year and was only announced this on September by Equifax, also compromised the private information of Canadian and British customers of the company.

Privacy Commissioner contacts Equifax

Meanwhile, Canada’s privacy commissioner said he has received numerous complaints and calls from people concerned about the Equifax data breach. Commissioner Daniel Therrien his office learned of the breach only through media reports and that the Office of the Privacy Commissioner of Canada (OPC) is now seeking more information from Equifax.

“We have advised Equifax to provide information to affected Canadians as soon as possible and we expect the company to adopt measures to help affected Canadians,” Therrien said. “…Our office is urging Equifax to find a solution to permit Canadians to find out if they are affected as soon as possible.”

(In this episode of the Vitamin C podcast, David Masson, country manager of Darktrace for its Canadian operations, explains how artificial intelligence and machine learning can be employed to enhance a business’s cybersecurity posture.)

The Office of the Privacy Commissioner of Canada (OPC) has received a number of complaints and calls from individuals concerned about a data breach at Equifax Inc.

Related content

EQUIFAX HAMMERED OVER DELAYED WARNING ON MASSIVE BREACH

RANSOMWARE PROTECTION, INTRUSION PREVENTION TOP OF MIND OF CANADIAN CIOS

After learning about the breach via media reports, our office contacted Equifax to seek information, including details on how Canadians were affected. Discussions with Equifax are ongoing and the company is cooperating with our office.

We have advised Equifax to provide information to affected Canadians as soon as possible and we expect the company to adopt measures to help affected Canadians.

Canadians who are concerned about whether or not they have been affected should not check via the U.S. website that Equifax has set up, the commissioner said. The site was designed for use with U.S. social security numbers.

What Canadians can do to

Instead, Canadians can access this site: http://www.consumer.equifax.ca/home/en_ca or reach Equifax at 1-866-828-5961 (English service) and 1-877-323-2598 (French service).

The OPC also recommended the following security measures for individuals:

  • Monitor your credit cards and bank accounts regularly and keep a close eye out for any transactions you did not authorize. Report any issues to your financial institution or credit card company right away.
  • If you identify a concern involving a theft/crime, report the incident to local police.
  • Report any incidents involving a scam or fraud to the Canadian Anti-Fraud Centre.
  • If you think you have been targeted by identity fraud, advise your bank and credit card companies. Close any accounts and cancel any cards that may have been compromised.
  • Document any information you have received and steps you have taken regarding the matter.

Issues around Apache

Information indicating the Apache Struts vulnerability was used in the Equifax breach could be troubling for many financial companies. The framework is popular with financial firms.

According to a report by the technology site ArsTechnica.com, the bug was fixed back on March 6.

However, three days after that vulnerability came under heavy attack by hackers using the flaw to install rogue applications on the Web servers of various companies. This would suggest that Equifax was among the businesses that failed to update their Web applications.

According to ArsTechnica patching the flaw is “labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions.”

It is possible that some companies have hundreds of apps that need to be rebuilt in the process. These apps also need to be tested after they are rebuilt before they are activated.

Related posts