[ISN] Criminals breach Equifax security for second time

InfoSec News isn at c4i.org
Mon Jun 20 02:31:09 EDT 2005

Forwarded from: Mark Bernard <Mark.Bernard at TechSecure.ca>

Dear Associates,

Did you catch this story? More break-ins and theft of consumer's
private information. I guess that they didn't get the first solution
implemented quickly enough.

========= beginning of excerpt ==========

Criminals breach Equifax security for second time 
Friday, June 17, 2005 Updated at 8:14 AM EDT


For the second time in about a year, the credit reporting company
Equifax Canada Inc. has suffered a security breach that has given
criminals access to personal financial information of hundreds of

The latest case came to Equifax Canada's attention several months ago,
but was made public only yesterday.

Criminals that breached the firewall gained access to 605 consumer
files, which contain personal information ranging from names and
addresses to type of bank loans and credit cards, payment obligations
and social insurance numbers. Credit card and bank account numbers are
not part of the files, but security experts say the information in the
files can be used by criminals for identity theft and even to build
bogus business accounts.

"Their first goal is to steal as much as they can and then see what
they can do with it," said Claudiu Popa, president of Informatica
Corp., a network security consultancy in Toronto.

A more sophisticated use would be to try to correlate some of the data
with other financial information, and open merchant accounts using the
stolen names. Those accounts could then be used to create bogus
e-commerce sites that steal from unsuspecting on-line shoppers, he

Neither Equifax nor police would say whether the information has been
put to malicious use.

A spokeswoman for Equifax Canada, Marie-Line Colangelo, said the
company has informed, by mail, all the people affected, and the breach
has been secured. It has also tagged the affected accounts with the
heading "lost or stolen identification" to warn creditors to confirm
the consumer's identity to protect against possible identity theft.

She would not comment on whether the unauthorized access was by
hackers breaking into Equifax Canada's computer systems, by physical
theft of the information, or by other means. In a statement, the
company said: "We have learned of an incident involving what appears
to be the improper use of one of our customer's access codes and
security passwords."

The RCMP said it was contacted by Equifax Canada several months ago
and has been conducting an investigation since then out of British
Columbia, where most of the affected individuals live.

Corporal Anthony Choy, an RCMP spokesman, would not say if the two
security breaches were connected. The investigation into the first one
is still under way and no arrests have been made, he said.

A little over a year ago, Equifax reported that criminals posing as
legitimate credit grantors had accessed the credit files of roughly
1,400 consumers, primarily in B.C. and Alberta.

Mr. Popa said it's widely assumed in the security industry that the
2004 attack occurred when criminals managed to fool Equifax's on-line
account system into granting administrator-like access -- known as an
elevation of privilege attack. It's entirely possible that elements of
the first crime were still present in Equifax Canada's computer
system, allowing for a second breach, or that the criminals had help
from the inside, Mr. Popa said.

"For a credit reporting agency, this is a huge hit," he said. "All the
trust goes out the window."

========= end of excerpt ===========

Best regards,

Mark E. S. Bernard, CISM, CISSP, PM,
Principal, Risk Management Services,

e-mail: Mark.Bernard at TechSecure.ca
Web: http://www.TechSecure.ca
Phone: (506) 325-0444

Leadership Quotes by Kenneth Blanchard: "The key to successful
leadership today is influence, not authority."

More information about the ISN mailing list