Analysis of the 2017 Equifax Data Breach

What Happened?

Equifax, an organization that handles consumer information and credit services such as credit information and ratings, announced on September 7th, 2017 that they were the victim of a cyber-attack. This cyber-attack was successful due to an unpatched vulnerability (CVE-2017-5638) found in an Apache Struts instance running on Equifax’s webservers. The impact of such a security breach to an organization that handles extremely sensitive data, including names, addresses, social insurance numbers, as well as financial information are devastating, and simply demonstrate the importance of effective patch management.

 

The Vulnerability:

The vulnerability CVE-2017-5638 was announced in March of 2017 and was identified as a critical severity with a vulnerability score of 10.0. A vulnerability with critical severity should be patched as soon as possible due to their security implications and the risk they pose to the environment. In this case, CVE-2017-5638 is a Remote Code Execution (RCE) vulnerability that allows remote threat actors to execute commands to the back-end systems of Equifax’s webservers through online form fields.

Since CVE-2017-5638 is a vulnerability that exists within a framework for Apache web-applications, it would have been difficult for Equifax to identify vulnerably instances. Equifax’s failure to patch this vulnerability lead to a series of events that is being viewed as one of the largest security breaches in the 21st century.

 

Timeline of Events:

  • March 6th, 2017 – Apache Struts RCE Zero-Day Vulnerability identified and actively exploited.
  • March 7th, 2017 – Proof of Concept Code (PoC) for a working Apache Struts RCE exploit, uploaded to a public GitHub repository.
  • March 9th, 2017 - Equifax issued an internal email to deploy the Apache Struts update within 48 hours, unfortunately the systems failed to identify any vulnerabilities. A few days later, the IT department of Equifax ran additional scans yet again, was unable to recognize the vulnerability.
  • March 13th, 2017 - Threat actors gained access to Equifax’s systems as well as sensitive information of nearly 44% of the U.S. population. The total impact of this breach affected residents of Canada, the United Kingdom, as well as the United States.
  • July 29, 2017 – Equifax identified that they were the victim of a Cyber Attack and took necessary actions to immediately stop the intrusion.
  • Aug. 1-3, 2017 - Three top executives of Equifax sell almost $2 million of company stock.
  • Sept. 7, 2017 - Equifax publicly announces Security Breach and provided a dedicated website for consumers to see if they were impacted. Tthis website included controversial arbitration language in regards to the victim’s ability to sue Equifax.
  • Sept. 7, 2017 - Equifax issued a statement saying the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
  • Sept. 8, 2017 - Shares of Equifax plunge 13.7%.
  • Sept. 8, 2017 – Sen. Elizabeth Warren (D-Mass.) tears into the company on social media for trying to push customers to give up their right to sue.
  • Sept. 8, 2017 - Equifax released a statement saying its controversial arbitration language that appears on its emergency website “will not apply to this cybersecurity incident.”
  • Sept. 12, 2017 - Equifax announces that two senior computer security executives at the company are retiring.
  • Sept. 12, 2017 - Equifax CEO apologizes in a USA TODAY op-ed, for the intrusion and vows to make changes in order to defend against cyber-crime.
  • Sept. 11, 2017 - Sen. Orrin Hatch, R-Utah, who chairs the Senate Committee on Finance, and Sen. Ron Wyden, D-Oregon, the panel's ranking minority member,  request a timeline of events related to the breach, as well as details outlining Equifax's efforts to quantify the scope of the intrusion and limit consumer harm.
  • Sept. 14, 2017 - The Federal Trade Commission (FTC) reported that it is investigating Equifax’s massive data breach. As a result, Equifax shares fell 5%
  • Sept. 21, 2017 - Equifax admits that in its communication with its victims over Twitter provided users with securityequifax2017.com, a website which was flagged as potentially harmful as a phishing attempt as opposed to the intended website equifaxsecurity2017.com.
  • Sept. 26, 2017 - Equifax announced that their CEO, Richard Smith is retiring, and Paulino do Rego Barros, Jr., a seven-year veteran of Equifax, is appointed as interim Chief Executive Officer.

 

Public Impact:

Equifax’s failure to patch a critical vulnerability that was released many months ago resulted in roughly 44% of the US population having their personal and financial credit information compromised. These victims will now need to be aware of potential identity or financial fraud using their information, or other types of phishing attempts used by the threat actors to gain additional information. In addition, they must carefully watch out for any potential signs of identity theft for an indefinite period of time, as it is most likely these threat actors have already sold this information on underground marketplaces and forums.

 

Equifax - Immediate Impact (First 30 Days):

The immediate impact of the announcement of Equifax’s breach lead to a series of events significantly impacting their organization. Their reputation was immediately tarnished, its shares dropped close to 19% over approximately a 7-day period, members of their organization leave the organization and the CEO retires. More seriously they are now under investigation by government agencies as a result of the security practices, and class action lawsuits from those affected which could carry on for months or even years. Furthermore, the communication between the organization and the public was handled poorly. Their offer to handle free credit monitoring, freezing credit for victims and their website were unsuccessful in handling the disaster. The lack of leadership and communication from Equifax leaves many victims more concerned.

 

Equifax - Long Term Impact (30+ days):

The long-term impacts of the data compromised from Equifax’s networks is irreplaceable and inexcusable. As the Data included the names, social insurance numbers and financial information of millions. This also raises a number of questions that Equifax will have to address, including questions from the general public, government officials and industry regulators. The effects of this will result in a long-term and financially exhausting investigation into the cyber-security practices of Equifax dating back several years, addressing identity theft issues as a result of the breach, and a long-term trend of a decreasing share price of Equifax’s stock. In addition Equifax will now be in the ”hot-seat” of industry regulators for years to come. This regulator spotlight could grow to also include competitors in the market including Experian and Trans Union and have the regulators review their cyber-security practices to ensure a similar incident does not reoccur.

 

Summary:

For businesses and users alike, it must be noted that good security practices are not ironclad, it is never safe to assume that your data is completely safe from harm. Good security infrastructure and practices that are incorporated into your daily operations are an important aspect. It is important to understand that cybersecurity risks are not to be treated lightly and should not be viewed independently to an organization’s reputation. Informing businesses on how to stay updated on security flaws or vulnerabilities and understanding the different levels of vulnerabilities can prevent data breaches like Equifax’s from happening. By receiving a proper assessment, you are able to receive the best possible security for your configuration and business. We at InfoTransec are more than happy to provide our vulnerability assessments and security assessment services that educate and raise awareness. If you require any assistance or have any inquiries feel free to contact us.