In this 2-part blog Information Security veteran Max Pritchard looks back on the data breach at credit reference agency, Equifax, examines the events that led up to the breach, and the company’s actions during and immediately after the breach. See part 2 for where we are a year after the breach and discover what we can learn from it.
A single line of code
In August 2012, a single line of code was added to a piece of open-source software designed to parse input data and send the user an error message if there was an issue. Unbeknownst to the programmer, that line of code had a bug. The code was built into a software toolkit, which was then used to build websites.
That code was in the Jakarta multipart parser. The toolkit was Apache Struts.
A fix for the bug
The Apache website announced, on 7th March 2017, a new version of Struts 188.8.131.52, which fixed the bug. The bug was rated as critical, and Apache stated
“All developers are strongly advised to perform this action,”
but then they put that line of text, in bold, in almost all of their bug and patch announcements. However, this particular vulnerability was critical because, in short, you could send a web server a specially crafted web page request and, instead of returning an error message, the server would execute any operating system command you sent it in the malicious request.
Out in the open
In a matter of hours, automated attempts to exploit this vulnerability were observed in the wild. Exploit scripts in Python were soon available for download, and popular scanning/exploit tools Metasploit and Nexpose were providing updates to allow people to check their web applications for the vulnerability. This was not under the radar. The nature of the bug, the breadth of deployment of Apache Struts, and the power it gave to malicious actors put it on a par with 2014’s infamous Heartbleed vulnerability in the OpenSSL library.
If you’re not on the list…..
On the 9th March, a member of the security team of Equifax, circulated the CERT advisory to technical team’s systems administrators by e-mail. Unfortunately, the mailing list they used to circulate the advisory was out of date and the people responsible for patching Equifax’s dispute portal were not included.
A hacking bot found the vulnerable Equifax customer dispute portal on 10th March 2017 and executed commands on the server, demonstrating to the attacker that it could be exploited. However, at this stage, it appears that no sensitive data was accessed or removed.
Lobbying for damages cap
A bill amending the US fair reporting and credit act (FCRA) is proposed on 4th May, which would cap damages in class-action lawsuits against credit organisations. Equifax, amongst other organisations that would benefit from the amendment, begin lobbying for Congress to pass the amendment. Lobbying that continues into July.
Sensitive data accessed
As best as can be ascertained, it was around 13th May that criminals accessed the exploited server and started to retrieve sensitive information including Personally Identifiable Information (“PII”.) The criminals made use of encrypted web sessions and gradual low intensity exfiltration in an effort to bypass internal security monitoring. The customer dispute portal was connected to three databases, which were systematically plundered.
The attack widens
Once the dispute portal had been raided, and because there had been no alarm or counter-measure, the attackers started using credentials and data found on the servers to search for other databases on local networks, managed to gain access and started to exfiltrate those too.
More than 143 MILLION records
Over the period, a “dwell time” of 76 days, the criminals had managed to run over 9,000 queries for personal information on 51 databases, and exfiltrate, undetected, more than 143 million records.
A simple SSL certificate
On the 29th July, a system administrator either identified, or finally decided to do something about, an SSL certificate on one of Equifax’s security systems that had expired ten months previously. The security system was meant to examine outbound traffic, but was not able to decrypt outbound data without the certificate and so had to ignore it. When the aforementioned security system was restored to normal operation, it indicated that there might be a problem. The security team started to block suspicious external addresses. When this didn’t prevent the anomalous behaviour on the network, they pulled the plug on the portal.
The CISO reported the “suspicious activity” on the dispute portal to Richard Smith, the Equifax CEO on 31st July – who authorised a new investigation by external partner Mandiant into the incident, which was organised by 2nd August. Richard Smith stated that this kind of face-to-face notification of an incident by the CISO to the CEO was not uncommon, and the company observed hundreds of millions of incidents each year.
Richard Smith asked for a full briefing from the security team and external consultants on the security incident on 15th August when he was told the breach was likely to have included a breach of PII, although he hadn’t, up to that point, asked whether PII was involved, or guessed that it was a possibility. He received that briefing on 17th of August.
Equifax Inc. publishes a press release on 7th September describing the breach and apologising. A new website www.equifaxsecurity2017.com was set up to manage enquiries alongside a US call centre with several hundred staff. The call centres were immediately swamped, and the consumer customer services teams had to be more than quintupled in size over the subsequent weeks.
Support website inadequate
The supporting website also received immediate criticism – the use of a domain name that was discrete from equifax.com was considered to increase the risks of criminal abuse – more so because the site asked consumers to submit personal information as part of identifying themselves to the site.
Getting it wrong again
Software engineer Nick Sweeting spent $5 and 20 minutes setting up a competitive website called www.securityequifax2017.com to demonstrate how easy it was to create phishing sites based on similar domains. This issue of authenticity was underlined when sometimes Equifax’s official social media feeds included links to this fake site instead of the official site.
Damages cap thrown out
Also on the 7th September, the bill proposing a cap on damages from class-action lawsuits against credit organisations is heard at Congress. The bill is subsequently thrown out, in light of the revelations in the aftermath of the breach at Equifax.
Mentioning no names
Another press release on 15th September revealing more details of the data breach, announces the immediate retirement of the company CIO and CSO, although does not name them, and the appointment of interim employees in these positions. Prior interviews with, and information about, the retiring CSO disappear from the Internet.
On the 26th September, the company announced the immediate retirement of the CEO and Chairman, Richard Smith. He steps down, benefiting from $18.4m worth of pension benefits and retaining shares worth, perhaps, $24m.
US Inland Revenue Service award Equifax a $7.25m contract for critical consumer identification services on 29th September. The contract award was subsequently withdrawn after publicity and review by the Government Accountability Office (GAO.)
Equifax announce on 2nd October that the post-breach investigation is complete, revising the number of affected records upwards to 145.5m, reducing the number of Canadian record impacts to 8,000, but leaving the number of UK records impacted open to further investigation. On October 3rd, Richard Smith appears at hearing of the US Congressional Subcommittee on Digital Commerce and Consumer Protection, to apologise for the breach, and describe and answer questions on Equifax’s behaviour before, during, and after it.
700,000 UK customers affected
Equifax Ltd announced on 10th October it would be writing to just short of 700,000 UK consumers identified as having been impacted by the data breach and a further 167,000 UK consumers whose phone number was breached, but where that phone number was already available in the public Phone Book.
On 1st March 2018 Equifax publishes Q4 and full year results from 2017. With respect to the cost to the company of the security incident, the report noted “During the fourth quarter and twelve months ended December 31, 2017, the Company recorded expenses, net of insurance recoveries, of $26.5 million and $114.0 million, respectively, related to the cybersecurity incident announced in September of 2017.”
In May 2018 plaintiffs consolidated over 400 lawsuits into two separate complaints, one on behalf of Equifax’s financial and banking customers (62 suits), and the other on behalf of individual data subjects (334 suits) whose information had been lost during the breach.
21st May 2018 saw the ICO issue a notice of intent to Equifax Ltd. The UK company was identified as the data controller, and Equifax Inc the data processor, for 15 million records concerning UK data subjects. The Commissioner found that Equifax Ltd breached five of the eight data protection principles and that the maximum monetary penalty (£500,000) under the Data Protection Act 1998 was justified and proportionate. Equifax Ltd were “disappointed in the findings and the penalty.”
On 27th June 2018 Reuters reports that Equifax Inc avoided fines in the US over the breach in a deal with banking regulators in eight US states. State regulators had to act because
“federal agencies have so far failed to sanction Equifax for the breach”
according to a statement by the head of New York Department of Financial Services.
Also on 27th June, Equifax files a motion to dismiss lawsuits brought over the breach because it owed no duty of care to safeguard the personal information of its ‘customers’.
So what happened next? Read part 2 of our blog to find out….
Or if this has already been enough to prompt you to want to do more about your own cybersecurity fill in our enquiry form or give us a call on 0845 625 9025.