14 Sep 2017
As if having the sensitive, personal information stolen from half of America wasn’t bad enough, and the way Equifax handled it, there’s more. Credit card companies have been telling banks and financial institutions that about 200,000 credit cards were also stolen in the process.
Credit card companies often report information about fraudulent activity to the companies that issue the card, which helps discover the source of the theft. They usually don’t name an exact source, but in this case both Visa and MasterCard say they definitely came from the Equifax breach while both separately naming the same date range of the theft. The stolen information includes the credit card number, the expiration, and the name on the card. This is enough information for thieves to shop online.
Unlike with most such hacks, the information wasn’t stolen gradually through malware. Instead, it was all downloaded in one giant batch back in May.
In related news, the hack was made possible by a vulnerability in an open-source Apache software package. Tragically, the zero-day flaw was first noticed on March 7. It was already being exploited in the wild, but Apache released a patch the next day. That means if Equifax had been patching their software as soon as the patch became available, all of this mess would very likely have been avoided.