UPDATED 23:21 EDT / SEPTEMBER 13 2017

INFRA

It turns out other credit agencies besides Equifax could be hacked too

Other credit reporting agencies were exposed to the same security vulnerabilities exploited in the Equifax Inc. hack as the comedy of errors at the company continues to compound.

News that Experian and AnnualCreditReport.com – an organization set up by Equifax, Experian Information Solutions Inc. and TransUnion LLC — were exposed to the Apache Struts2 vulnerability used in the Equifax hacks comes via U.K. security researcher Kevin Beaumont. On his blog, Beaumont wrote that not only were the companies wide open to being attacked but he also provided details of the vulnerability in March.

It gets even worse. Beaumont noted that XSS.cx, a security reporting site, also logged the Apache Struts2 vulnerability on both Experian and AnnualCreditReport.com around the same time — complete with a Common Vulnerabilities and Exposures reporting number — and informed the companies directly. Put simply, both were told that they were exposed to the vulnerability in March and failed to act on the information.

“All of this raises serious questions,” Beaumont writes. “When were these servers patched? What information was accessed? If consumer information was accessed, have they been notified?”

It’s unknown whether data has been stolen from Experian and AnnualCreditReport.com, but Beaumont’s question is relevant: If the data was there for the taking as it was with Equifax, was it also accessed and stolen?

The news that other credit reporting agencies were exposed to hacking comes on the same day the whole Equifax hacking story keeps on giving: A server used by the company’s Argentinian operation is so badly secured that anyone could obtain access using a default server username and password.

First reported by Brian Krebs, the problem is a server that was found to allow full access to its back end using the username/password combination of “admin/admin.” The data accessible included employee records and up to 14,000 records pertaining to customers who have had dealings with Equifax in the country.

It’s not clear whether any of the data from Equifax Argentina has been stolen. But at the time of its initial hack disclose, Equifax did say that data had been stolen from customers outside the U.S., including Canada and the U.K., so it’s quite possible Argentina could soon be on that list as well.

Photo: HypnoArt/Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU