I shared my initial thoughts about the Equifax data breach in this post from Sept. 8, 2017. And here is the recording from my WCCO Radio interview with Jordana Green and Paul Douglas. What follows is an update as of Sept. 11, 2017.
(As of Sept. 14, 2017, this original post is now obsolete, but I’m leaving it intact to preserve the sequence of when we learned key facts. See the bottom for updates from Sept. 13, and Sept. 14 2017.)
The Equifax data breach announcement came on on Sept. 7, 2017. As of Sept. 11, we still have few facts. But we do have a tantalizing blog post from a news outlet named Quartz. Check out this article.
The Quartz article references a Baird Equity Research report about how the breach will effect Equifax stock. Here is the report. This key sentence in the report is at the heart of lots of speculation:
Our understanding is data retained by EFX primarily generated through consumer interactions was breached via the Apache Struts flaw…
Apache Struts is a software framework for building Java applications. Struts has had two vulnerabilities recently. One was reported and patched in March, the other on Sept. 4.
Here is another article about Apache Struts from ZDnet.
And now speculation. The Equifax data breach announcement said the attack exploited a website flaw, but I can find no other details beyond that. The Baird Equity Research report above is not clear about which Struts vulnerability, and doesn’t cite a source.
A few possible scenarios play out here. In the first scenario, Equifax never applied the patch for the March vulnerability and bad guys romped through its systems for two months undetected. This scenario is Equifax’s fault.
In the second scenario, bad guys discovered the new vulnerability before good guys found it. The patch didn’t come until Sept. 4. Smart bad guys could have easily covered their tracks while romping across the Equifax network, such that no automation looking for suspicious patterns would have uncovered it. Somehow, Equifax found the invasion on July 29. Under this scenario, the long wait for disclosure might make sense because there was no fix available until Sept. 4, and Equifax disclosed the breach Sept. 7.
I find this scenario hard to believe because five weeks – from July 29 until Sept. 4 – is a long time for anyone to fix a reported software vulnerability, especially one already in the wild. The best open source developers pride themselves on great workmanship, and taking five weeks to patch a security flaw is inconceivable. Here is what the Apache Software Foundation had to say about Apache Struts and Equifax.
And the third scenario puts it right back on Equifax – maybe Apache Struts isn’t relevant, since we don’t know where the Baird Equity Research report got its information.
Let’s not rush to judgement yet because there is one credible scenario where Equifax disclosed this thing properly and is not culpable for the breach. I wrote a blog post about how proper disclosure should work right here.
But if Equifax wants to salvage its credibility, then the people with first-hand knowledge need to share what they know about what happened.
Update Wednesday, Sept. 13, 2017
USA Today reported yesterday that Equifax itself said an Apache Struts vulnerability was the attack vector. But the article does not tell who from Equifax said it, which is frustrating. Here is the relevant paragraph.
On Tuesday, credit reporting company Equifax told USA TODAY the breach was due to an Apache Struts vulnerability. Apache Struts is free, open-source software used to create Java web applications. Several vulnerabilities have been reported, all since patched, but Equifax has not said which one was involved in this breach.
Update Thursday, Sept. 14, 2017
Equifax blew it. Heads need to roll. Scenario one above is what happened. Equifax failed to patch the March Apache Struts vulnerability and allowed attackers to rampage through its network for two months.
The articles quoting the Equifax update are everywhere. See this ZDnet article and this Ars Technica article. Their source is the infamous EquifaxSecurity2017.com site. Click on the Sept. 13, 2017 progress update for consumers.
“The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
Let’s summarize. The people in charge at Equifax learned about the problem on July 29, but didn’t report it until September 7. A week later, on September 14, after bungling the response they spent five weeks preparing, and only in the face of an uproar, they finally told us which vulnerability the attackers exploited. But they knew all along which vulnerability it was. Why not report it in the first disclosure?
It gets worse. Three senior executives sold Equifax stock after discovering the breach and before the public announcement. Here’s an extract from this MarketWatch story:
As first reported by Bloomberg News, Chief Financial Officer John Gamble banked $946,374 on the sale, U.S. Information Solutions President Joseph Loughran made $584,099 and Consumer Information Solutions President Rodolfo Ploder earned $250,458. In the same filing, Loughran exercised an option to buy 3,000 shares at a price of $33.60.
Look closely at those titles. Chief Financial Officer, US Information Solutions President, and Consumer Information Solutions President. Equifax claims these senior executives had no idea somebody stole the data they were in charge of protecting when they sold their stock. If true, these folks are incompetent. If false, they’re crooks.
But wait. There’s more.
Take a look at this Krebs on Security post from Sept. 12. It’s a story about Equifax operations in Argentina. I’ll quote one key paragraph.
It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
I’m still shaking my head.
Equifax CEO Richard Smith is expected to testify in front of Congress on Oct. 3. I would love to be in the room and ask a few questions.