Equifax data breach: Identity-theft hackers exploited flaw experts flagged in March

Equifax data breach: Identity-theft hackers exploited flaw experts flagged in March

0
21


CLOSE

If you’re concerned your personal information might have been exposed by the Equifax breach, you can take steps to freeze your credit.
USA TODAY

SAN FRANCISCO — Cybersecurity professionals who track down bugs discovered, created a fix for, and told the industry about the vulnerability that allowed attackers into the Equifax network two months before the company was hit by hackers.

“The Equifax data compromise was due to (Equifax’) failure to install the security updates provided in a timely manner,” The Apache Foundation, which oversees the widely-used open source software, said in a statement Thursday.

Equifax told USA TODAY late Wednesday that the criminals who potentially gained access to the personal data of up to 143 million Americans had exploited a website application vulnerability known as Apache Struts CVE-2017-5638. 

The vulnerability was patched on 7 March 2017, the same day it was announced, the foundation said. Modifications were made on March 10, according to the National Vulnerability Database.

Equifax said that the unauthorized access began in mid-May. That’s a period of two months in which the company could have, and should have, say experts, dealt with the problem.

“We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement,” Equifax said. It did not respond to a question Wednesday about whether the patches were applied and if not, why not.

“Considering Equifax is one of the largest credit reporting agencies whose sole business relies on both credibility of data and securely handling the sensitive data of millions of consumers, it is fair to say that they should have patched it as soon as possible, not to exceed a week. A typical bank would have patched this critical vulnerability within a few days,” said Pravin Kothari, CEO of CipherCloud, a cloud security company.

The initial report of the security vulnerability says that a company using the software needed only to upgrade to a more recent version of the Apache Struts program. It is a framework for web servers that help companies, including many Fortune 500 corporations, take in and serve up data.

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” the company said late Wednesday.

The company also indicated that it had not yet had determined the full impact of the breach.

More: How did the Equifax breach happen? Here are some answers and some questions.

More: Equifax data breach could create lifelong identity theft threat

More: Equifax CEO: ‘We will make changes’

Experts say the information potentially stolen by the hackers, including Social Security numbers, dates of birth and names, could put people at risk of identity theft for the rest of their lives.

Equifax CEO Richard F. Smith apologized Tuesday in a USA TODAY op-ed and said that the company initially “thought the intrusion was limited” after discovering it on July 29.

The company offered consumers free credit monitoring and identity theft insurance.

“We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” Smith said. “We will make changes and continue to strengthen our defenses against cyber crimes.”

The researchers who found the vulnerability identified Wednesday by Equifax as the cause of the breach had prepared two plugins that could be used as a drop-in solution, which they posted online.

To be sure, the process of patching the flaw isn’t as simple as just downloading a new version of Java. It requires searching the company’s entire portfolio of applications to look for known and newly-reported vulnerabilities, then updating to the latest version of those applications. It is then often necessary to rewrite the applications so they match the other software the company is using. Then everything must be retested and redeployed.

To some in the industry, it’s not that Equifax had bad security practices, but that such poor security hygiene is all too common.
 
“Equifax’s overt negligence is undoubtedly reprehensible, however I think the waterfall of harsh critique also becomes unfair,” said Ilia Kolochenko, CEO of High-Tech Bridge, a Swiss web security company.

“The sad and inconvenient truth is that a majority of large companies have similar challenges, problems and weakness in their cybersecurity. Most companies still fail to maintain a proper application inventory and thus keep critical vulnerabilities unpatched for months.”

Patching can take time, even for large corporations with dedicated security staff, which Equifax presumably had, noted Jeff Williams, co-founder of Contrast Security. Williams identified a different Struts vulnerability earlier this year.

Still, not doing so is “absolutely unreasonable,” he said. “This is not some crazy movie-plot attack scenario. There is really no excuse for organizations not to be prepared for this totally expected scenario. They should have a well-practiced playbook and run it often.”

  • Equifax CEO's apology fails to reassure investors

    Equifax CEO’s apology fails to reassure investors

  • Equifax says massive data breach affects 143 million people

    Equifax says massive data breach affects 143 million people

  • Worried about Equifax? Freeze your credit!

    Worried about Equifax? Freeze your credit!

  • Expert: No way to get back stolen Equifax data

    Expert: No way to get back stolen Equifax data

  • How the Equifax breach went from bad to worse

    How the Equifax breach went from bad to worse

  • Equifax breach: How to protect your identity now

    Equifax breach: How to protect your identity now

  • Equifax fine print could keep data breach victims from suing

    Equifax fine print could keep data breach victims from suing

  • Public outrage over Equifax could hurt this GOP bill

    Public outrage over Equifax could hurt this GOP bill

Follow USA TODAY reporter Nathan Bomey on Twitter @NathanBomey and Elizabeth Weise @eweise.

Read or Share this story: https://usat.ly/2wb1rVn



Source link

NO COMMENTS

LEAVE A REPLY