Trust Center

During the month of March, Creditsafe was affected by x0 critical Zerodays which were classified as CVE 9.0+. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

During the month of February, Creditsafe was affected by x0 critical Zerodays which were classified as CVE 9.0+. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

During the month of January, Creditsafe was affected by x0 critical Zerodays which were classified as CVE 9.0+. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

Creditsafe can confirm it is not affected by the Citrix Bleed vulnerability CVE-2023-4966.

During the month of November, Creditsafe was affected by x0 critical Zerodays which were classified as CVE 9.0+. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

During the month of October, Creditsafe was affected by x0 critical Zerodays which were classified as CVE 9.0+. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

During the month of September, Creditsafe was affected by x1 critical Zeroday which was classified as 9.0+. CVE-2023-4863 was remediated by standard Chrome patching updates. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

Creditsafe is affected by the August Zeroday CVE-2023-39213, Zoom Vulnerability. As a company, we do utilize Zoom on some of our estate and our engineers are currently working to mitigate this zeroday. Please check Safebase for further updates.

During the month of July, Creditsafe was affected by x0 critical Zerodays which were classified as CVE 9.0+. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

During the month of June, Creditsafe was affected by x0 critical Zerodays which were classified as 9.0+ CVE rating. We are also aware of a number of Critical Windows and SharePoint Vulnerabilities which we are actively mitigating and patching.

Creditsafe is aware of the MOVEit incident (CVE-2023-34362) that occurred on May 31st 2023. Creditsafe does not use MOVEit in any of its environments. It has neither been, nor is it intending to be a customer of MOVEit. Creditsafe uses Fortra GoAnywhere for its Managed File Transfer (MFT) Solution. Creditsafe's MFT is regularly updated and was not subject to the vulnerability disclosed earlier this year.

During the month of May, Creditsafe was affected by x0 critical Zerodays which were classified as 9.0+ CVE rating. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

During the month of April, Creditsafe was affected by x0 critical Zerodays which were classified as 9.0+ CVE rating. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process

During the month of March, Creditsafe became aware of CVE-2023-23397 - Microsoft Office Outlook privilege escalation vulnerability. Work is ongoing to patch the affected Outlook versions and any mitigations are being investigated.

Creditsafe is a aware of a number of Zero Days relating to the Windows operating system over the last month. Active work is ongoing to patch these in line with our patching program.

We continue to monitor Last Pass following the disclosure from them with regard to their security incident however there is no evidence that Creditsafe is affected by this.

Additionally, we have ensured that all users with Apple iPhones have updated their devices to 16.3.1 (current latest version).

During the month of January, Creditsafe was affected by x0 critical Zerodays which were classified as 9.0+ CVE rating. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

During the month of December, Creditsafe was affected by x0 critical Zerodays which were classified as 9.0+ CVE rating. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

During the month of December, Creditsafe was affected by x0 critical Zerodays which were classified as 9.0+ CVE rating. Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

Creditsafe is aware of the public statements of LastPass on the 22nd Dec 2022 and in the preceding Quarter, and can confirm that Creditsafe utilises LastPass at the Enterprise Level for IT Administration. At this time, Creditsafe does not believe its data is impacted. Creditsafe has requested further details from LastPass of the nature of breach and any additional details. In the interim, Creditsafe has enacted a series of mitigations including changing of master passwords, heightening SOC monitoring of Authentication to LastPass and checking of MFA utilisation via LastPass. In addition, the appropriateness of that technology platform is currently under review. As further details are disclosed by LastPass, Creditsafe will re-assess the impact and provide updates via Safebase.

During the month of November, Creditsafe was affected by x0 critical Zerodays which were classified as being 9.0+ CVE rating.

Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

Creditsafe have cross-referenced the details of this vulnerability and have concluded that we are not vulnerable to these specific CVE’s.

Creditsafe utilises a small part of its IT Estate (less than 5%) on an operating system that utilises OpenSSL and is therefore vulnerable to the above issue.

Creditsafe is taking a risk-based approach, with internet-facing systems prioritised at the point of update release, to be expedited immediately upon release of the patch on November 1st, 2022. All internal facing systems will follow, as per the standard update process.

An update will follow on November 2nd.

During the month of October, Creditsafe was affected by x0 Zerodays which were classified as critical being 9.0+ CVE rating.

Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

During the month of September, Creditsafe was affected by x2 Zerodays which were classified as critical being 9.0+ CVE rating. They are as follows;

1. Chrome, CVE 2022-3075. Remediated on all Chrome Browsers and Edge browsers to v105

2. Multiple apple devices, CVE 2022-32917. Remediated on all Corporate Apple devices by forced updates to 15.7 via policy

Any other Zerodays (CVE 8.9 and below) are being handled by Standard Patching and update process.

Creditsafe is not affected by the above vulnerability within VMware, as we do not utilise the specific products affected, but will continue to scan and monitor to ensure it is not introduced in future.

Creditsafe's Security Incident Response Team has been monitoring the developing situation in Ukraine closely and preparing its response, using both open source and vendor supplied intelligence updates.

Creditsafe’s response employs a tiered approach to guide the implementation of appropriate actions. Some examples of activities currently underway include:

• The formation of a Security Incident Response Team to manage its response • Heightened awareness and monitoring • Staff awareness communications • The analysis and identification of the likely threats that arise from the situation • The exceptional implementation of precautionary and preparatory technical measures

Further details of Creditsafe’s response will not be detailed in public communications to reduce the likelihood that publication results in useful intelligence being made available to malicious parties. An update will be provided if there are material changes to the situation that affect Creditsafe.

Our Security Incident Response Team continues to monitor developments closely and will respond appropriately with pre-prepared mitigations and responses.

Creditsafe is not vulnerable to Spring4Shell on our internet-facing services and systems.

However to ensure this is not introduced at a future point in time and provide assurance, this is covered as part of our vulnerability scanning and continually monitored by our Security Team.

Creditsafe has adopted a multi-layered approach to Log4j, based upon rectification, mitigation, detection and assurance.

All platforms or systems utilising Log4j were updated patched to the minimum of 2.16.0 by the 23/12/2021 (since then 2.17.2 has been pushed).

Since the rectifications, additional mitigation in the form of WAF rules designed to drop the specific requests and specific Log4j Scanning is conducted and continually monitored by our Security Team. This is further supplemented with IOCs to provide assurance it is not re-introduced to the environment.