Analysis of the 2017 Equifax Data Breach

Analysis of the 2017 Equifax Data Breach

What Happened?

Equifax, an organization that handles consumer information and credit services such as credit information and ratings, announced on September 7th, 2017 that they were the victim of a cyber-attack. This cyber-attack was successful due to an unpatched vulnerability (CVE-2017-5638) found in an Apache Struts instance running on Equifax’s webservers. The impact of such a security breach to an organization that handles extremely sensitive data, including names, addresses, social insurance numbers, as well as financial information are devastating, and simply demonstrate the importance of effective patch management.

 

The Vulnerability:

The vulnerability CVE-2017-5638 was announced in March of 2017 and was identified as a critical severity with a vulnerability score of 10.0. A vulnerability with critical severity should be patched as soon as possible due to their security implications and the risk they pose to the environment. In this case, CVE-2017-5638 is a Remote Code Execution (RCE) vulnerability that allows remote threat actors to execute commands to the back-end systems of Equifax’s webservers through online form fields.

Since CVE-2017-5638 is a vulnerability that exists within a framework for Apache web-applications, it would have been difficult for Equifax to identify vulnerably instances. Equifax’s failure to patch this vulnerability lead to a series of events that is being viewed as one of the largest security breaches in the 21st century.

 

Timeline of Events:

· March 6th, 2017 – Apache Struts RCE Zero-Day Vulnerability identified and actively exploited.

· March 7th, 2017 – Proof of Concept Code (PoC) for a working Apache Struts RCE exploit, uploaded to a public GitHub repository.

· March 9th, 2017 – Equifax issued an internal email to deploy the Apache Struts update within 48 hours, unfortunately the systems failed to identify any vulnerabilities. A few days later, the IT department of Equifax ran additional scans yet again, was unable to recognize the vulnerability.

· March 13th, 2017 – Threat actors gained access to Equifax’s systems as well as sensitive information of nearly 44% of the U.S. population. The total impact of this breach affected residents of Canada, the United Kingdom, as well as the United States.

· July 29, 2017 – Equifax identified that they were the victim of a Cyber Attack and took necessary actions to immediately stop the intrusion.

· Aug. 1-3, 2017 – Three top executives of Equifax sell almost $2 million of company stock.

· Sept. 7, 2017 – Equifax publicly announces Security Breach and provided a dedicated website for consumers to see if they were impacted. Tthis website included controversial arbitration language in regards to the victim’s ability to sue Equifax.

· Sept. 7, 2017 – Equifax issued a statement saying the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”

· Sept. 8, 2017 – Shares of Equifax plunge 13.7%.

· Sept. 8, 2017 – Sen. Elizabeth Warren (D-Mass.) tears into the company on social media for trying to push customers to give up their right to sue.

· Sept. 8, 2017 – Equifax released a statement saying its controversial arbitration language that appears on its emergency website “will not apply to this cybersecurity incident.”

· Sept. 12, 2017 – Equifax announces that two senior computer security executives at the company are retiring.

· Sept. 12, 2017 – Equifax CEO apologizes in a USA TODAY op-ed, for the intrusion and vows to make changes in order to defend against cyber-crime.

· Sept. 11, 2017 – Sen. Orrin Hatch, R-Utah, who chairs the Senate Committee on Finance, and Sen. Ron Wyden, D-Oregon, the panel’s ranking minority member,  request a timeline of events related to the breach, as well as details outlining Equifax’s efforts to quantify the scope of the intrusion and limit consumer harm.

· Sept. 14, 2017 – The Federal Trade Commission (FTC) reported that it is investigating Equifax’s massive data breach. As a result, Equifax shares fell 5%

· Sept. 21, 2017 – Equifax admits that in its communication with its victims over Twitter provided users with securityequifax2017.com, a website which was flagged as potentially harmful as a phishing attempt as opposed to the intended website equifaxsecurity2017.com.

· Sept. 26, 2017 – Equifax announced that their CEO, Richard Smith is retiring, and Paulino do Rego Barros, Jr., a seven-year veteran of Equifax, is appointed as interim Chief Executive Officer.

 

Public Impact:

Equifax’s failure to patch a critical vulnerability that was released many months ago resulted in roughly 44% of the US population having their personal and financial credit information compromised. These victims will now need to be aware of potential identity or financial fraud using their information, or other types of phishing attempts used by the threat actors to gain additional information. In addition, they must carefully watch out for any potential signs of identity theft for an indefinite period of time, as it is most likely these threat actors have already sold this information on underground marketplaces and forums.

 

Equifax – Immediate Impact (First 30 Days):

The immediate impact of the announcement of Equifax’s breach lead to a series of events significantly impacting their organization. Their reputation was immediately tarnished, its shares dropped close to 19% over approximately a 7-day period, members of their organization leave the organization and the CEO retires. More seriously they are now under investigation by government agencies as a result of the security practices, and class action lawsuits from those affected which could carry on for months or even years. Furthermore, the communication between the organization and the public was handled poorly. Their offer to handle free credit monitoring, freezing credit for victims and their website were unsuccessful in handling the disaster. The lack of leadership and communication from Equifax leaves many victims more concerned.

 

Equifax – Long Term Impact (30+ days):

The long-term impacts of the data compromised from Equifax’s networks is irreplaceable and inexcusable. As the Data included the names, social insurance numbers and financial information of millions. This also raises a number of questions that Equifax will have to address, including questions from the general public, government officials and industry regulators. The effects of this will result in a long-term and financially exhausting investigation into the cyber-security practices of Equifax dating back several years, addressing identity theft issues as a result of the breach, and a long-term trend of a decreasing share price of Equifax’s stock. In addition Equifax will now be in the ”hot-seat” of industry regulators for years to come. This regulator spotlight could grow to also include competitors in the market including Experian and Trans Union and have the regulators review their cyber-security practices to ensure a similar incident does not reoccur.

 

Summary:

For businesses and users alike, it must be noted that good security practices are not ironclad, it is never safe to assume that your data is completely safe from harm. Good security infrastructure and practices that are incorporated into your daily operations are an important aspect. It is important to understand that cybersecurity risks are not to be treated lightly and should not be viewed independently to an organization’s reputation. Informing businesses on how to stay updated on security flaws or vulnerabilities and understanding the different levels of vulnerabilities can prevent data breaches like Equifax’s from happening. By receiving a proper assessment, you are able to receive the best possible security for your configuration and business. We at InfoTransec are more than happy to provide our vulnerability assessments and security assessment services that educate and raise awareness. If you require any assistance or have any inquiries feel free to contact us

Recently, Equifax, a consumer credit reporting agency, had a major data breach in which private information belonging to millions of Americans were leaked. It is at risk of going into a major lawsuit by consumers if many have their financial assets are stolen as a result of this information leak. This was a combination of human error and technological error. The vulnerability was that the vulnerable version of Apache Struts was not patched like it was supposed to and even left unnoticed by software that was supposed to catch any instance of such. This had begun around August and was caught about a month later. The overall impact to the company was that both Equifax and the head figures such as the CEO lost a lot of trust with their customers which are banks and similar entities who use Equifax to determine the credit reliability of people who want to buy loans. Most likely in the future the company will have to report to a greater level of scrutiny by the federal government and subsidiary agencies. The CEO Richard Smith recently retired but more likely than not this decision was highly influenced by the recent security breach. Even the shares have fallen significantly since the beginning of September. Furthermore, Susan Maudlin, the former CISO had resigned recently as a result. Lawsuits have emerged as well. Richard Smith, CEO of Equifax, has had to report before the house and senate committee recently. The security issues the customers face includes a leak of names associated with birth dates, social security numbers, and other personal information. There is no measurement of the impact of this security issue to consumers as it is still ongoing but identity theft has been estimated to cost the average person about 1000 dollars in losses with an estimated 143 million people who has had their personal identification information leaked through Equifax. The company itself has had a lot of changes: with senior executives stepping down, replacements were made such as the VP of IT taking over Susan Maudlin’s position and the chief information officer David Webb being replaced by Mark Rohrwasser. The company itself has had a lot to learn as well. It can be said that greater scrutiny of company operations executed on the topic of security must be enforced and that neither technological nor human error should be allowed in the future. To do this it would be advisable to get a stronger software platform and stronger security measures to ensure patches for security vulnerability do not go unnoticed if not done and that they are made properly. It may also be advisable to employ a CISO who does not have a music degree since there is a lot of criticism around Susan Maudlin’s music degree.

Data breaches are important for a number of reasons:

· Data breaches cast doubt on an organizations ability to control confidentiality of both proprietary and consumer data.

· Data breaches expose the organization to damaging attacks from competitors both in cyberspace and the tangible world.

· Data breaches expose consumers to identity theft and asset theft.

It is very important to study data breaches in order to understand what happened. We must know not only the who and why, but also the how, where, and when. Where were the vulnerabilities? What countermeasures were in place? Why did they not work? What could have been done to prevent the breach? What was the extent of the damages? What was the extent of the damage? What actions were taken to mitigate the damage?

Equifax, established in 1898, had built itself into the largest of the three major credit reporting agencies. Equifax is responsible for the accumulation of over 401 million records across the globe. In 2017, Equifax reported that about 147 million people had been affected by a massive data breach that exposed sensitive data such as drivers but not social security numbers, at least not for every one. As a result of the breach, Richard Smith, the CEO resigned. Senator Elizabeth Warren led a Congressional Investigation that found the company did not keep its computer systems up-to-date making it vulnerable to even unsophisticated attacks.

Enterprises must continually address potential threats and develop countermeasures. Data systems must be continuously updated with state of the art security systems. All employees must undergo security training to make them less vulnerable to phishing schemes. Consumers should also be encouraged to safeguard their personally identifiable information. Access to availabe information should be limited to a need to know. There should be tracking information as to whom attempts to access what. Also, if a user attempts to access unauthorized information, designated officials should be notified and immediately begin an investigation. Moreover, the organization should periodically subject itself to inside and outside audits in order to look for any potential probems. Companirs should consider developing its own code and nomenclature in order to camouflage sensitive information.

It may not be possible to eliminate all cyber attacks, but by remaining proactive against them, CEOs and their enterprises can limit their number and success.

The principal reason for cyber attacks, almost 75% according to the 2018 Verizon Inestigations report is financial, whether it be selling bits of information to others or using information for insider trading. The failure to maintain secure systems ultimately will result in a loss to profit and punishment to CEOs. All aspects of an enterprise will be affected.

Sources

The Washington Post,  03/01/2018, “Equifax’s Massive 2017 data breach keeps getting worse” by Brian Fung.

Forbes, “Equifax Data Breach Impacts 143 million americans, 09/07/17, Lee Mathews.

Verizon 2018 Data Breach Investigations Report Report,

Analysis of the 2017 Equifax Data

Breach

What Happened?

Equifax, an organization that handles consumer information and credit services such as credit

information and ratings, announced on September 7th, 2017 that they were the victim of a cyber

attack.

This cyber

attack was successful due to an unpatched vulnerability (CVE

2017

5638)

found in an Apache Struts instance running on Equifax’s webservers. The impact of such a

security breach to an organization that handles extremely sensitive data, including

names,

addresses, social insurance numbers, as well as financial information are devastating, and simply

demonstrate the importance of effective patch management.

The Vulnerability:

The vulnerability CVE

2017

5638 was announced in March of 2017 and was i

dentified as a

critical severity with a vulnerability score of 10.0. A vulnerability with critical severity should be

patched as soon as possible due to their security implications and the risk they pose to the

environment. In this case, CVE

2017

5638 is a

Remote Code Execution (RCE) vulnerability that

allows remote threat actors to execute commands to the back

end systems of Equifax’s

webservers through online form fields.

Since CVE

2017

5638 is a vulnerability that exists within a framework for Apache web

applications, it would have been difficult for Equifax to identify vulnerably instances. Equifax’s

failure to patch this vulnerability lead to a series of events that is being viewed as one of the

largest security breaches in the 21st century.

Timeline

of Events:

·

March 6th, 2017

Apache Struts RCE Zero

Day Vulnerability identified and actively

exploited.

·

March 7th, 2017

Proof of Concept Code (PoC) for a working Apache Struts RCE exploit,

uploaded to a public GitHub repository.

·

March 9th, 2017

Equifa

x issued an internal email to deploy the Apache Struts update

within 48 hours, unfortunately the systems failed to identify any vulnerabilities. A few days

later, the IT department of Equifax ran additional scans yet again, was unable to recognize

the vuln

erability.

Analysis of the 2017 Equifax Data

Breach

What Happened?

Equifax, an organization that handles consumer information and credit services such as credit

information and ratings, announced on September 7th, 2017 that they were the victim of a cyber-

attack. This cyber-attack was successful due to an unpatched vulnerability (CVE-2017-5638)

found in an Apache Struts instance running on Equifax’s webservers. The impact of such a

security breach to an organization that handles extremely sensitive data, including names,

addresses, social insurance numbers, as well as financial information are devastating, and simply

demonstrate the importance of effective patch management.

The Vulnerability:

The vulnerability CVE-2017-5638 was announced in March of 2017 and was identified as a

critical severity with a vulnerability score of 10.0. A vulnerability with critical severity should be

patched as soon as possible due to their security implications and the risk they pose to the

environment. In this case, CVE-2017-5638 is a Remote Code Execution (RCE) vulnerability that

allows remote threat actors to execute commands to the back-end systems of Equifax’s

webservers through online form fields.

Since CVE-2017-5638 is a vulnerability that exists within a framework for Apache web-

applications, it would have been difficult for Equifax to identify vulnerably instances. Equifax’s

failure to patch this vulnerability lead to a series of events that is being viewed as one of the

largest security breaches in the 21st century.

Timeline of Events:

 March 6th, 2017 – Apache Struts RCE Zero-Day Vulnerability identified and actively

exploited.

 March 7th, 2017 – Proof of Concept Code (PoC) for a working Apache Struts RCE exploit,

uploaded to a public GitHub repository.

 March 9th, 2017 – Equifax issued an internal email to deploy the Apache Struts update

within 48 hours, unfortunately the systems failed to identify any vulnerabilities. A few days

later, the IT department of Equifax ran additional scans yet again, was unable to recognize

the vulnerability.


Comments are closed.