KEMBAR78
Equifax SQL Injection | PDF | Security | Computer Security
Scribd
Upload
110 views6 pages

Equifax SQL Injection

An SQL injection attack on Equifax's web application in 2017 exposed the personal data of 143 million customers. The attackers gained access to Equifax's systems in May 2017 but the breach was not discovered until July 2017. Equifax faced lawsuits and fines totaling hundreds of millions due to inadequate security practices.

Uploaded by

rehbarnaqvi0510
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
110 views6 pages

Equifax SQL Injection

An SQL injection attack on Equifax's web application in 2017 exposed the personal data of 143 million customers. The attackers gained access to Equifax's systems in May 2017 but the breach was not discovered until July 2017. Equifax faced lawsuits and fines totaling hundreds of millions due to inadequate security practices.

Uploaded by

rehbarnaqvi0510
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Equifax Data Breach

Case Study
Equifax, affected millions of customers.
Description of the attack category:
SQL Injection is a type of cyber attack that exploits
vulnerabilities in web applications that use SQL
(Structured Query Language). Attackers insert
malicious code into web application input fields that
Attack execute SQL commands on the backend database,
potentially giving the attacker access to sensitive data.
Category
SQL Injection

According to a 2020 report from Positive Technologies,


SQL Injection is the most common type of web
application attack, accounting for 24% of all attacks.
Equifax is one of the three major credit reporting agencies in the
United States, providing credit monitoring and reporting services
to millions of customers. The company stores vast amounts of
personal and financial data, including Social Security numbers,
birth dates, addresses, and credit card information.

In 2017, Equifax suffered a massive data breach that exposed the


personal and financial data of up to 143 million customers. The
attackers exploited a vulnerability in a web application to gain
access to the company's systems and execute a SQL Injection
attack. The breach was not discovered for several months, during
which time the attackers were able to exfiltrate vast amounts of
sensitive data.
1 March 2017: Equifax is notified of a vulnerability
in its web application.

May 2017: The vulnerability is not patched, and attackers


2 begin exploiting it to gain access to Equifax systems.

July 2017: Equifax discovers the breach but fails to take


3 immediate action to mitigate the damage.
Timeline
Equifax Attack September 2017: Equifax publicly announces the
4 data breach and begins notifying affected customers.

October 2017: Equifax CEO Richard Smith resigns


5 in the wake of the breach.

March 2018: The US Securities and Exchange Commission


6 (SEC) charges Equifax with insider trading
related to the breach.
Vulnerability #1 Vulnerability #2
Overall, Equifax's
security posture was Failure to patch known Lack of proper network
inadequate, and the vulnerabilities in a timely segmentation and access
company failed to manner controls
implement proper
security controls and
respond effectively to
the breach.

Vulnerabilities
Vulnerability #3 Vulnerability #4

Failure to detect and Lack of encryption and


respond to the attack in a other security measures to
timely manner protect sensitive data
Costs Prevention
Equifax has paid out hundreds of millions of dollars Regular vulnerability scans and patch management

in settlements, fines, and other costs related to the Proper network segmentation and access controls

breach, including a $700 million settlement with the Implementation of encryption and other security

US Federal Trade Commission (FTC) and a $425 measures to protect sensitive data

million settlement with affected customers. Implementation of intrusion detection and response

systems to detect and respond to attacks in a timely

manner.

You might also like