Cybersecurity – how Equifax got it so wrong
The US credit monitoring service, Equifax, announced this month that a data breach of 143 million American records was discovered on July 29th. The breach included names, social security numbers, dates of birth and addresses. Many experts have blamed Equifax for not following appropriate financial security guidelines, such as keeping personal, billing and financial data in separate places.
Equifax has still maintained it’s “A” rating from the Better Business Bureau despite the blame from the public and press:
This [leak] includes the basic building blocks of identity theft, such as consumers’ names, addresses and Social Security numbers. However, the credit monitoring companies also store crucial information about consumers’ loan details, credit cards, child support payments, employment history and much more.
Howard Schwartz, Better Business Bureau spokesperson
Late software patch management
Equifax released a statement blaming the hack on the Apache Struts vulnerability, stating that they were “intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who have been impacted”. The vulnerability allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header. But, the issue was announced and patched in March 2017.
The next day after Equifax released its statement, the Apache Software Foundation declared that the data compromise was due to Equifax’s “failure to install the security updates provided in a timely manner”. The patch was available from March, and Equifax claims the breach happened between mid-May and July 2017.
In future, proposed legislation in the United States and the upcoming General Data Protection Regulation (GDPR) in the EU will hold organizations liable for poor software supply chain hygiene.
Bad password policy
Those with leaked records may be entirely unaware of their personal data being with Equifax, let alone compromise. Most of the database may have had no direct dealing with Equifax, which gets the majority of its data from banks and credit card providers, rather than its ‘customers’.
This has led to a worse reaction from the public and press than most large-scale breaches because people feel that it is a breach of their privacy to have their personal data stored without their consent.
The press and social communities online have further eroded at Equifax’s reputation by unveiling embarrassing practices before and since the breach announcement. Security researcher, Brian Krebs (who broke the Target breach story in 2014), reported Equifax’s Argentinian website left administrator access guarded by the username and password “admin”. This allowed anybody with intent to add or remove employee accounts from the system, see passwords and access the personal data of anyone who has disputed a credit report. The site has since been taken offline by Equifax.
Public image and the phishing leak
Those who suspect they may be affected could check whether they were involved in the leak by visiting Equifax’s checker site, hosted by their TrustedID product. However, it came under public scrutiny when the site appeared to tell people at random that they may have been affected by the breach, even when dummy data was entered. The situation was worsened when it was discovered that the Terms of Service of TrustedID, and consequently the checker site, implied anyone seeking clarification over the safety of their data signing up for the service is barred from suing Equifax about the breach. This immediately led to further trust deterioration immediately following the hack.
Due to the seemingly random nature of the checker site, a whitehat Twitter user, @thesquashSH, created a fake phishing version of the Equifax checker in an attempt to spoof the vulnerabilities of the original. The Equifax representatives on Twitter then accidentally distributed this fake link, leading to further reputation damage for Equifax.
The breach is a clear case in which basic security measures, such as a web application firewall and software patch management, could have prevented a hack of colossal scale from happening. It is the responsibility of all businesses and security professionals to prevent these simple mistakes from occurring.
Banks and other companies that deal with sensitive or financial information must use every relevant method of cybersecurity to prevent attacks. The fact that so many businesses are still not investing in appropriate protections and continue to make simple mistakes suggests that, despite cybersecurity concerns being a priority, in many cases, they aren’t being addressed appropriately.