Equifax, a consumer credit reporting agency, made headlines this month when a massive security breach began unravelling with the public paying close attention. While no data breach should be taken lightly, some are more serious than others by the nature of the information or systems at stake. This incident was a worst-case scenario for Equifax which involved sensitive personal identifiable information such as social security number, name, address, date-of-birth, driver’s license information and in some cases credit card numbers.
How did this happen
Equifax confirmed that the attackers gained access to their systems mid-May through a weakness in a web-application. Equifax may have been aware of the vulnerability as early as March when their systems were compromised by the same vulnerability that resulted in the large data breach, some sources believe both incidents were perpetrated by the same intruders. Security patches were publically available for the vulnerable systems since March of the same year, within a couple days of patches being released numerous reports indicated vulnerable systems were being mass targeted around the world. Equifax was likely aware of the associated risks and widespread attacks involving the vulnerability, yet did not take the proper steps to secure their systems which resulted in the breach and subsequent release of personal data of more than 800 million individual consumers and more than 88 million businesses worldwide.
The web application in question was the Apache Struts framework. The Apache team in charge of the Apache Struts project was quick to release a statement mentioning they were aware of the breach Equifax suffered and reiterated that users should regularly and as timely as possible patch systems when updates are released, establish multi-layer security including active monitoring, and implement proper software procurement measure and that doing so is the users own responsibility.
To make matters worse
The media and public alike were quick to criticize Equifax citing a lack of transparency as it took the company nearly two months to notify the public of the breach and even then, it was not precisely clear as to what data was impacted. Customers were left scrambling to find out whether or not they were affected and to what degree. In the weeks following the news about the data breach, Equifax attempted to help customers by creating a website to deal with questions and provide free credit monitoring which ended up being riddled with vulnerabilities and was further criticized by the media until it was taken down
As more news about the incident is uncovered, Equifax is being labelled by many as negligent with lawsuits and legal actions pending. Based on current evidence, it appears Equifax failed to be proactive about security and did not take adequate measures to protect sensitive data and systems. The incident is currently under investigation by numerous agencies which have requested the cooperation and detailed information from Equifax.
The Federal Trade Commission released the following statement:
“The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”
In the wake of recent security incidents affecting several high-profile companies and government bodies, many are left wondering how they can protect their organizations. Responding to cybersecurity incidents requires thorough investigations to ensure an accurate inventory of affected systems and assets is collected, complete remediation of intruders is completed and may involve legal/compliance bodies. For these reasons, incidence response can take several weeks, months or even years which in turn, delays notifications of affected parties and the public. Developing and implementing disaster recovery plans are critical in mitigating damages once a breach occurs, but the damage has already occurred. Developing a proactive, multi-layered security posture often involves regularly patching systems, testing for vulnerabilities, hardening systems and active monitoring, all of which can help minimize the risk of a breach occurring in the first place when done properly. As penetration testers and security researchers, it is easy to see how a few changes to an organizations security posture could change the dialogue for organizations that experience security incidents and in the case of Equifax, spared millions of customer’s personal data and company reputation.