Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog

Cybersecurity Blog

Thought leadership. threat analysis, news and alerts.

Equifax Data Breach Was “Entirely Preventable”, Report Says

12/12/2018

0 Comments

 
equifax breach entirely preventable

Equifax Data Breach Was “Entirely Preventable”, Report Says

The U.S. House of Representatives Committee on Oversight has released a report that concludes that the massive Equifax data breach back in September 2017 was "entirely preventable".

On September 7, 2017, Equifax disclosed a massive data breach affecting 143 million consumers – majority of whom were from the U.S. and some from Canada and the U.K. – this number later rose to 148 million consumers.

Equifax is one of the largest consumer reporting agencies (CRAs) in the world. CRAs collect account information from various creditors, analyze this data to create credit scores and detailed reports, and then sell these to third parties. CRAs’ data collection activities make them a repository of large amount of personally identifiable information, which make them a high-value target for cyber criminals, this according to the report released by the U.S. House of Representatives Committee on Oversight(PDF).

Few weeks prior to the Equifax data breach, former Equifax Chief Executive Officer (CEO) Richard Smithsaid that Equifax was managing “almost 1,200 times” the amount of data held by the U.S. Library of Congress every day.

As a result of the massive data breach, Equifax held several of its officials accountable. Eight days after the data breach disclosure, the company’s Chief Information Officer and Chief Security Officer both took early retirements. Nineteen days after the data breach disclosure, the company’s then Chief Executive Officer Richard Smith left the company and 25 days after the breach, the company terminated its Senior Vice President and Chief Information Officer for Global Corporate Platforms.

Anatomy of the Equifax Data Breach

Based on the report released by the U.S. House of Representatives Committee on Oversight, the Equifax data breach was a result of a series of events that could have been prevented.

On March 7, 2017, Apache Software Foundation, an organization that oversees more than 350 leading open source projects, including Apache Struts, announced and patched on the same day the security vulnerability designated as CVE-2017-5638. This security vulnerability enables attackers to conduct remote code execution (RCE), a cyber attack in which the attacker takes over a computer by exploiting a vulnerability in the computer, regardless of where the computer is geographically located. A proof of conceptof CVE-2017-5638 attack scenario is publicly available on GitHub.

Apache Struts is a popular open source framework for creating web applications. Many of the world’s web applications use Apache Struts, including the web applications used by Equifax, financial institutions, government organizations and Fortune 100 companies. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal, was running a version of Apache Struts containing the CVE-2017-5638 vulnerability.

According to the House Oversight Committee, 2 days after the release of the CVE-2017-5638 patch, Equifax’s Global Threat and Vulnerability Management (GTVM) team emailed over 400 Equifax employees who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a meeting about this vulnerability on March 16.

Despite the above-mentioned efforts, Equifax’s ACIS wasn't patched, leaving the company’s computer systems open to attacks. Just a few days after the release of the CVE-2017-5638 patch, that is, on May 13, 2017, attackers started their 76-day long cyber-attack on Equifax, the House Oversight Committee report said.

By exploiting the unpatched Apache Struts of the company’s ACIS, the report said, the attackers located a file containing unencrypted credentials, including usernames and passwords. These unencrypted credentials enabled the attackers to gain access to critical data outside Equifax’s ACIS, specifically access to the company’s 48 databases.

The report added that on these 48 databases, attackers accessed 265 times unencrypted personally identifiable information of Equifax’s consumers and said attackers transferred this data out of the company’s network. The report said Equifax wasn’t aware of this data transfer as the tool used to monitor ACIS network traffic had been inactive for 19 months as a result of an expired security certificate. It was only on July 29, 2017 that Equifax noticed the ACIS network traffic as this was the date that the company updated the expired certificate.

“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the House Oversight Committee report said. “Had the company taken action to address its observable security issues prior to this cyber attack, the data breach could have been prevented.”

Preventive Measures

Here are some of the cyber security measures that your organization can implement in order to prevent data breaches similar to the Equifax data breach:

Keep All Software Up-to-Date

Cyber attackers are quick to exploit publicly known security vulnerabilities. In the case of the Equifax data breach, attackers exploited a known security vulnerability on Apache Struts just a few days after Apache Software Foundation patched the vulnerability. It’s important to install critical patches in a timely manner so as not to leave your organization’s IT system vulnerable to cyber attacks.

Encrypt Critical Data

It’s a proactive approach to assume that one day your organization’s critical data could be accessed by an unauthorized party. It’s important to encrypt your organization’s critical data so that attackers won’t have a easy access to this high-value data. In encryption, data in plain text is converted into an unreadable form. The only way to read or unlock this encrypted data is via a decryption key – a time-consuming task on the part of the attackers. In the case of the Equifax data breach, the sensitive data of consumers wasn’t encrypted, making it easy for the attackers to locate the critical data.

Monitor Network Traffic

Monitoring your organization’s network traffic is one of the effective means of detecting intrusion. In the case of the Equifax data breach, at the time of the data breach, the company had no means to monitor its ACIS network traffic.

Look at deploying SIEM or MDRsolutions.

Network access during non-working hours and unusual volume of data transfer are signs of intrusion. A workable automated network monitoring tool is a must to protect your organization’s IT system.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    ATP
    Awareness Training
    Botnet
    Bots
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    Social Engineering
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security

    RSS Feed

1.888.900.DRIZ (3749)

Managed Services
Web Application Security
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
About us
Testimonials
​Meet the Team
​Subsidiaries
​
Contact us
​
Blog
Resources & Tools
​Incident Management Playbook
Privacy Policy | CASL
Copyright © 2021 Driz Group Inc. All Rights Reserved.
Photo used under Creative Commons from GotCredit