How not to deal with a breach, by Equifax
Web application compromise results in massive breach, along with corresponding mud-slinging...
Credit reference firm Equifax has suffered a breach of highly personal information on 143 million US users, about 44 per cent of the population.
The data was stolen between mid-May and July this year due to a vulnerability on the company’s website, which allowed hackers to steal names, social security numbers, dates of birth, addresses and, in some instances, driver's licence details - around 209,000 credit card numbers were also stolen.
The company also provides credit checking services for a host of UK companies such as BT, Capital One and British Gas, and holds around 44 million credit records for UK citizens. Equifax has not confirmed whether UK records are involved in the breach too.
The breach is not only serious in terms of the information stolen, which is exactly the kind of accurate personal information that is required to create false identities and impersonate victims, but the situation has sparked a series of controversies over the company’s response, as well as the alleged vulnerability responsible.
Although the company was aware of the breach back in July 29, several weeks have passed before customers were notified, leading to speculation over motives and allegations that the delay may have increased the danger to victims.
Ilia Kolochenko, CEO of High-Tech Bridge said: “This is a disastrous data breach, probably one of the most detrimental breaches of this year, capable of undermining trust in an already quite fragile online financial space. Such a delayed public disclosure of the breach is quite dubious. Probably the disclosure was reasonably postponed in the interests of investigation, but it still could endanger the victims. Most important now is to make sure that we do not underestimate the scale of the breach, and have properly identified every victim and the integrity of data that was stolen.”
Whatever the root cause behind the delay, the company’s response could easily be accused of being confusing - an official site set up to help worried consumers has the url: equifaxsecurity2017.com. As a quick test with High-Tech Bridge’s phishing and Trademark Abuse radar shows, there are several similar alternatives, including the perhaps more believable typo equifaxsecuity.com, except the latter was registered by HiChina Zhicheng Technology Ltd.
Another controversy concerns the web application vulnerability that the hackers exploited, with some sources claiming that a recent serious flaw in Apache Struts was responsible. This allegation has prompted a strong response from Apache, stating in a blog post:
“We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time it is not clear which Struts vulnerability would have been utilized, if any. In an online article published on Quartz.com, the assumption was made that the breach could be related to CVE-2017-9805, which was publicly announced on 2017-09-04 along with new Struts Framework software releases to patch this and other vulnerabilities. However, the security breach was already detected in July, which means that the attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time --a so-called Zero-Day-Exploit. If the breach was caused by exploiting CVE-2017-9805, it would have been a Zero-Day-Exploit by that time.”
Ilia Kolochenko continued: “It's a very colourful, albeit very sad, example how a vulnerability in a web application can lead to disastrous consequences for an entire company, its customer base and far beyond. Today, almost any critical data is handled and processed by web applications, but cybersecurity teams still seriously underestimate the risks related to application security. Most companies don’t even have an up2date application inventory. Without knowing your assets, you won’t be able to protect them. Many global companies still rely on obsolete automated solutions and tools for their application security, while cybercriminals are already using machine-learning in their attacks when targeting and profiling the victims for example.”
While it’s plain there is plenty of unfounded speculation swirling round this considerable breach, there are lessons here about the value of properly secured web apps, and also around how not to manage a breach. Let’s hope at least some of the lessons are taken to heart.