Equifax's Operates NCTUE Agency and the Panera Bread Situation

DZone 's Guide to

Equifax's Operates NCTUE Agency and the Panera Bread Situation

More news about Equifax reveals a sister corporation which may have your personal information. Plus, a recent breach at Panera Bread has ties back to Equifax as well.

· Security Zone ·
Free Resource

I've written quite a few articles surrounding the challenges Equifax has faced since their massive security breach was revealed:

As a result of my research, the Google newsfeed on my smartphone continues to push articles related to Equifax to the top of my list of suggested articles.

Below, are two Equifax-related updates that could be a concern for readers of the DZone Security Zone.

Equifax's Sister Company

Earlier this month, Gizmodo's AJ Dellinger reported (Equifax Operates Another Credit Bureau, and You Can't Freeze Your Report Online) on a Brian Krebs discovery that Equifax operates the National Consumer Telecommunications and Utilities Exchange (NCTUE) - which is another credit reporting bureau that operates outside the realm of the Big Three reporting bureaus (Equifax, Experian, and TransUnion).

The NCTUE (which is not a good acronym if you ask me) was established in the late 1990s with the intention of tracking payment and account history for utility services. According to their website, members include the following service providers:

  • Cable TV service

  • Electric service

  • Gas service

  • Home security service

  • Internet service

  • Local phone service

  • Long distance phone service

  • Satellite TV service

  • Water service

  • Wireless phone service

When I scan the history of the NCTUE, the following paragraphs stand out to me:

The National Consumer Telecommunications Data Exchange (NCTDE) was founded in 1997 by AT&T, Bellsouth, Citizens, Frontier, IXC, MCI, NYNEXLD, Sprint, and Worldcom. A representative of NACMSW was selected as executive director and vice president of NCTDE. In September 1997, the Department of Justice approved the creation of the database, and Equifax was selected as the vendor.

Equifax and NCTUE signed a new agreement to allow for the expanded reporting and use of data, including tradeline-level reporting and integrating NCTUE Plus data into products. In 2009, Equifax and the NCTUE established the NCTUE Plus database, which added member-provided tradeline-level account information to turn the existing “negative-only” repository into a more comprehensive tool for better decisioning.

Knowing that Equifax was selected as "the vendor," this statement (also on their website) caused me some great concern:

The database contains information on over 218 million unique consumers.

The same Equifax that exposed the personal/sensitive information for 2/3 of the adult population in the United States had a second service, with a pool of 218 million unique users.

Gizmodo indicated that concerned individuals could call the toll-free number (1-866-349-5355) to freeze your credit report but warned there could be a fee attached to the request.

When I checked the NCTUE website, I found a three-step form to "Place, Temporarily Lift, or Permanently Remove a Security Freeze," but I must admit to being somewhat cautious to enter all the personal information being requested onto a form (with a very dated design) using a different host than the main NCTUE site.

Former Equifax Security Director (Mike Gustavison) at Panera Bread

Somewhat related to Equifax is another data issue that security expert Dylan Houlihan (Breaking Bits) found in August 2017 related to the delivery service at Panera Bread.

The area of concern is that by simply registering for an account at delivery.panerabread.com allowed users to view sensitive information for other registered accounts... just by incrementing the account ID on their REST API. This information was later proved to be available without authenticating to the API.

Being an outstanding citizen, Dylan reached out to senior staff at Panera Bread and was initially accused of trying to scare up business as some type of sales pitch. Eventually, security director Mike Gustavison agreed to send a private key - which was then used to send proof of the data issue with their website.

It took multiple follow-up messages before Gustavison finally responded to confirm the report was received, but the RESTful API remained in place for months. Finally, giving up on Gustavison and his team taking action, Dylan took his concerns to the internet and created as Pastebin to demonstrate two end-points containing the issue. At this point, security expert Brian Krebs wrote an article about the situation.

Gustavison and the Panera team went public to admit there was a problem, but the problem has since been fixed. However, Krebs quickly countered on social media to disprove the statement by Panera - giving more proof that the issue was still in place. I mean, it is one thing to have an issue, but to lie about fixing it is unheard of in today's highly connected and highly social world.

Finally, Panera decided to shut down the entire site, which certainly had an impact on the customers which were using the interface.

How does this relate to Equifax? Mike Gustavison was the Director of Security Operations at Equifax back in 2013.


Last week, I offered advice to those graduating this month and entering the world of Information Technology. One of my key points that I offered was to work hard.

Clearly, I believe Mike Gustavison (and his replacement at Equifax) was not "working hard" when he allowed an unpatched Struts framework to remain in place and ultimately release the sensitive information of 143 million people in the United States. His actions with the breach at Panera Bread fall into the same classification - where he left personal information for customers open for anyone to view for months before first lying about making a fix, then shutting down the service altogether when his "fix" was clearly disproved.

Hopefully, changes are being made within the walls at both Equifax and Panera Bread, which can lead to better days ahead... if both companies are able to survive these terrible situations that could have been 100% avoided.

Have a really great day!

equifax, restful api, security, security breach, vulnerability

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}