Thought leadership. threat analysis, news and alerts.
Equifax Data Breach Was “Entirely Preventable”, Report Says
The U.S. House of Representatives Committee on Oversight has released a report that concludes that the massive Equifax data breach back in September 2017 was "entirely preventable".
On September 7, 2017, Equifax disclosed a massive data breach affecting 143 million consumers – majority of whom were from the U.S. and some from Canada and the U.K. – this number later rose to 148 million consumers.
Equifax is one of the largest consumer reporting agencies (CRAs) in the world. CRAs collect account information from various creditors, analyze this data to create credit scores and detailed reports, and then sell these to third parties. CRAs’ data collection activities make them a repository of large amount of personally identifiable information, which make them a high-value target for cyber criminals, this according to the report released by the U.S. House of Representatives Committee on Oversight(PDF).
Few weeks prior to the Equifax data breach, former Equifax Chief Executive Officer (CEO) Richard Smithsaid that Equifax was managing “almost 1,200 times” the amount of data held by the U.S. Library of Congress every day.
As a result of the massive data breach, Equifax held several of its officials accountable. Eight days after the data breach disclosure, the company’s Chief Information Officer and Chief Security Officer both took early retirements. Nineteen days after the data breach disclosure, the company’s then Chief Executive Officer Richard Smith left the company and 25 days after the breach, the company terminated its Senior Vice President and Chief Information Officer for Global Corporate Platforms.
Anatomy of the Equifax Data Breach
Based on the report released by the U.S. House of Representatives Committee on Oversight, the Equifax data breach was a result of a series of events that could have been prevented.
On March 7, 2017, Apache Software Foundation, an organization that oversees more than 350 leading open source projects, including Apache Struts, announced and patched on the same day the security vulnerability designated as CVE-2017-5638. This security vulnerability enables attackers to conduct remote code execution (RCE), a cyber attack in which the attacker takes over a computer by exploiting a vulnerability in the computer, regardless of where the computer is geographically located. A proof of conceptof CVE-2017-5638 attack scenario is publicly available on GitHub.
Apache Struts is a popular open source framework for creating web applications. Many of the world’s web applications use Apache Struts, including the web applications used by Equifax, financial institutions, government organizations and Fortune 100 companies. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal, was running a version of Apache Struts containing the CVE-2017-5638 vulnerability.
According to the House Oversight Committee, 2 days after the release of the CVE-2017-5638 patch, Equifax’s Global Threat and Vulnerability Management (GTVM) team emailed over 400 Equifax employees who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a meeting about this vulnerability on March 16.
Despite the above-mentioned efforts, Equifax’s ACIS wasn't patched, leaving the company’s computer systems open to attacks. Just a few days after the release of the CVE-2017-5638 patch, that is, on May 13, 2017, attackers started their 76-day long cyber-attack on Equifax, the House Oversight Committee report said.
By exploiting the unpatched Apache Struts of the company’s ACIS, the report said, the attackers located a file containing unencrypted credentials, including usernames and passwords. These unencrypted credentials enabled the attackers to gain access to critical data outside Equifax’s ACIS, specifically access to the company’s 48 databases.
The report added that on these 48 databases, attackers accessed 265 times unencrypted personally identifiable information of Equifax’s consumers and said attackers transferred this data out of the company’s network. The report said Equifax wasn’t aware of this data transfer as the tool used to monitor ACIS network traffic had been inactive for 19 months as a result of an expired security certificate. It was only on July 29, 2017 that Equifax noticed the ACIS network traffic as this was the date that the company updated the expired certificate.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the House Oversight Committee report said. “Had the company taken action to address its observable security issues prior to this cyber attack, the data breach could have been prevented.”
Here are some of the cyber security measures that your organization can implement in order to prevent data breaches similar to the Equifax data breach:
Keep All Software Up-to-Date
Cyber attackers are quick to exploit publicly known security vulnerabilities. In the case of the Equifax data breach, attackers exploited a known security vulnerability on Apache Struts just a few days after Apache Software Foundation patched the vulnerability. It’s important to install critical patches in a timely manner so as not to leave your organization’s IT system vulnerable to cyber attacks.
Encrypt Critical Data
It’s a proactive approach to assume that one day your organization’s critical data could be accessed by an unauthorized party. It’s important to encrypt your organization’s critical data so that attackers won’t have a easy access to this high-value data. In encryption, data in plain text is converted into an unreadable form. The only way to read or unlock this encrypted data is via a decryption key – a time-consuming task on the part of the attackers. In the case of the Equifax data breach, the sensitive data of consumers wasn’t encrypted, making it easy for the attackers to locate the critical data.
Monitor Network Traffic
Monitoring your organization’s network traffic is one of the effective means of detecting intrusion. In the case of the Equifax data breach, at the time of the data breach, the company had no means to monitor its ACIS network traffic.
Look at deploying SIEM or MDRsolutions.
Network access during non-working hours and unusual volume of data transfer are signs of intrusion. A workable automated network monitoring tool is a must to protect your organization’s IT system.
Steve E. Driz, I.S.P., ITCP