What we know and still don’t know about the Equifax data breach

Equifax, the company with the sole responsibility of storing and maintaining sensitive data of U.S. users for the purpose of credit and background checks, announced that it has compromised the identity information of some 143 million people.

The hacked information was available between mid-May and the end of July when the company discovered the breach. It told its customers in early September that they may have been affected, originally giving an estimated impact of 209,000 consumers.

However, the number has since skyrocketed – amid other allegations – making this breach one of the largest ever reported in the U.S. Equifax is responsible for more than 820 million people’s online identities as well as the sensitive information for more than 91 million businesses.

The vulnerability the hackers used to gain access to the data is still up for debate, though Equifax stated it was a “website application vulnerability” and there have been reports that it was the Apache Struts Web Framework that created the hole in security. But the fact of the matter is, the answers given by Equifax are vague and haven’t been verified.

If there was a vulnerability with Apache Struts, the exploit would have to have happened in the wild, prior to the public announcement made on Sept. 4 that CVE-2017-9805 – the exploit being blamed for the breach that happened several months prior – was discovered and patched.

Equifax’s handling of the situation has also called into question how a company should respond to breaches. The site Equifax made so consumers can check whether their data was compromised or not – www.equifaxsecurity2017.com – looks and feels like a phishing attempt, noted several online cybersecurity researchers. The validity of the data the site spits out was also called into question as people tested fake last names and social security numbers in the portal.

So what can users do to protect themselves?

A credit freeze is probably in order, though with the data the hackers have, the freeze could be easily reversed or negated. The second best bet is for users to continue monitoring their credit for what could amount to years to come.

In the aftermath of the attack, Equifax is facing several class action lawsuits and federal investigations.