Equifax Partner Breaches Customer Data

Written by

A technology partner of the three big credit reporting agencies has been breached in what appears to be a classic supply chain attack.

Image-I-Nation Technologies is a North Carolina-based provider of software and hosting services. It’s part of FRS Software, which produces employee and background screening software used by Equifax, Experian and TransUnion, among other organizations.

Although the firm remains tight-lipped on the nature of the incident, breach notifications to various US states shed some light on what happened.

It claimed hackers may have had a two-week window in which to steal sensitive personal information including Social Security numbers, names, dates of birth and home addresses.

“On December 20, 2018, Image-I-Nation Technologies discovered that there had been unauthorized access to our database containing the personal information of individuals who had a consumer report through our system at some point in the past,” it revealed in a noticed published by the Montana DoJ.

“Based upon our investigation, we have determined that the incident began on or about November 1, 2018 and that our systems were secure as of November 15, 2018.”

The firm claimed not to be aware of any misuse of personal info as a result of the incident, but that will not reassure those whose details have been exposed to the risk of identity theft and follow-on phishing attacks.

It’s unclear how many individuals may have been affected although Infosecurity has been able to locate breach notifications filed with at least four states: Washington, Montana, Vermont and New Hampshire.

Given Image-I-Nation’s relationship with the big credit agencies, it’s perhaps not surprising that it has been targeted by hackers looking for valuable identity information. Although cyber-criminals have gone after the agencies themselves, most notably in a major breach of around 148 million Equifax customers, they may view trusted partners of the firms as an even softer target.

“It is clear that even if an organization has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain,” the UK’s National Cyber Security Centre warned last year. “Attackers will target the most vulnerable part of a supply chain to reach their intended victim.”

Image-I-Nation is not to be confused with a UK chip specialist which shares the same name, without the hyphens.

What’s hot on Infosecurity Magazine?