It’s been nearly two weeks since the credit monitoring company Equifax admitted it had suffered one of the largest data breaches in recent memory — exposing the personal information of a whopping 143 million U.S. consumers.
In a statement released Tuesday, the company finally confirmed approximately 100,000 Canadians were affected too, with names, addresses, social insurance numbers (SIN) and, in limited cases, credit card numbers among the personal information potentially accessed.
How did it happen? Here’s what we know so far, and what we don’t.
When did the company know about it?
Equifax has said that the breach occurred in mid-May, but that it only discovered intruders had compromised its systems on July 29 — nearly two months later. And for reasons that remain unclear, it took yet another month for the company to publicly disclose the breach.
However, Bloomberg reported on Monday that it was actually the second time the company had been breached this year. The prior incident occurred in March according to Bloomberg’s sources, with one saying it involved the same intruders as the subsequent hack. Equifax says the two incidents were unrelated, but either way, the company knew it was being targeted as early as this past spring.
That timeline will likely prove important, given three of the company’s executives sold almost $1.8 million US in shares in the days after the July 29 discovery that the company had been breached. Equifax has denied the executives knew of the breach when they sold their shares.
Why didn’t Equifax patch the hole the intruders used to get in?
We also learned last week that Equifax fell victim to a vulnerability in a widely used piece of software called Apache Struts. It’s a favourite of financial institutions and government agencies, used for the development of web applications — which is what made it all the more concerning when a critical flaw was discovered in the software in March. It’s not clear why Equifax didn’t patch its systems at that time, nor why the security company Mandiant didn’t identify the vulnerability when it was called to investigate Equifax’s first security breach that same month.
Who’s behind it and what did they want?
How bad is this for Canadians?
On one hand, 100,000 Canadian…