It’s likely that you’re already aware of the massive data breach disclosed last week against major credit reporting bureau Equifax (NYSE: EFX). It’s hard to miss the uproar in the aftermath, given the frightened coverage in mainstream media over the last few days. Personally Identifiable Information (PII) on nearly half of the population of the United States is reported to have been harvested, including remarkably sensitive data from Social Security numbers to residence and employment history. Equifax is beginning to feel the financial sting of this disclosure — at the time of this writing the value of shares in EFX have dropped more than 20% since its position prior to the breach disclosure.
Now, whether the financial backlash of these events sticks to Equifax in the long term remains a point of debate. Personally I’m not holding my breath, but I work in an industry populated almost exclusively by paranoid cynics so you can take that with a grain of salt. Still, with the rising count of lawsuits stacking up against the company, hopefully they’re starting to sweat a little.
How Could Equifax Let This Happen?
Reports following the disclosure were quick to blame a recently disclosed Apache Struts vulnerability for the breach. And while the vulnerability being pointed at would certainly be capable of this sort of breach, the team behind Apache Struts was less than convinced. In their official reply to the allegations, they mention that the vulnerability in question would have been a zero-day attack if it was used between May and July as reported by Equifax. Now, if I was going to burn a zero-day vulnerability on something, the PII of half of the United States would be a pretty worthwhile target, but it’s not exceptionally likely that this was the case.
More likely would be CVE-2017-5638, an unrelated Apache Struts vulnerability disclosed and patched back in March. This vulnerability was well documented and plenty of proof-of-concept code was available for developing exploits against it. If this is the case, the implication would then be that Equifax neglected to patch their webservers for two months leading up to the breach.
You can understand why they would be quick to point fingers at the newer, shinier vulnerability in the wake of their disclosure. With growing claims of negligence on their shoulders, the suggestion that months of security patches were ignored would be damning indeed.
It’s not far-fetched to think this is the case, of course. Organizations are constantly falling victim to attacks that could have been mitigated by simply installing patches on their production servers. In 2014, the Heartbleed vulnerability (CVE-2014-0160) was leveraged in an attack on Community Health Systems, a major healthcare corporation operating over 200 hospitals in the United States. This attack was performed a week after the patch for this vulnerability was released.
So there’s precedence for this sort of technical negligence in industries where personal information is supposed to be handled securely. That part isn’t a surprise. The more questionable part of this scenario was the manner in which the company responded to the breach.
The Equifax Guide To Failing At Incident Response
How the attackers breached Equifax’s web service and accessed the data they would ultimately harvest is one thing. The first thing you learn about security is to assume that there will eventually be a breach of any individual system. However, what followed the breach in this case was some of the worst-handled incident response the security community has seen in recent memory.
We may have differing opinions on the subject of “How long do you wait to disclose the most severe data breach in history?” but we could probably both agree that “a month and a half” is a bit outside the acceptable range. It’s understandable to want some time to get your ducks in a row. It’s another thing to sell your stock, hire a PR firm, and start to monetize the breach by way of an incredibly phishy domain name. (Note: Equifax would later quietly change their Terms of Service on their offer of one year of free credit monitoring to no longer automatically charge users after the termination of the free year. This was in response to massive negative response on social media and in the press.)
In their initial disclosure, Equifax chairman and CEO Rick Smith referred to the event as “disappointing”, something that will surely go down as one of the worst understatements in history. He would continue, cue card after cue card, by saying “Equifax will not be defined by this incident, but rather by how we respond.” The response — and Equifax itself by Smith’s request — is being generally received as somewhere between “not great” and “monumentally awful”.
Equifax revealed a website consumers could use to check the status of their personal information to determine whether or not it was part of the breach. Following initial concerns that the utility’s terms of service waived users rights to seek damages against the company, it would later be determined that the reliability of the tool was suspect at best — users reported receiving differing results when inputting the same data into the form.
In addition to a useless self-check application, Equifax is offering free credit freezes for thirty days in an effort to assuage consumer fears. This is hardly reassuring, because data thieves commonly wait months or more before selling stolen information. Plus, the freeze only applies to Equifax’s own credit reporting. The other major bureaus will not be affected by these actions. The gesture is made even emptier by the fact that removing the freeze can be accomplished with the data that was already stolen.
How To Use 143 Million Stolen Identities
There’s speculation abound in the infosec community regarding what will eventually come of the data exposed in the breach. Obvious predictions of mass credit and tax fraud are floating to the top, but you can’t discount the larger threats at play.
Personal identity theft is obviously possible considering the scope of the data in play, but a single entity using the data of this many individuals is far-fetched. It wouldn’t be cost-effective to purchase this amount of illicit data just to open fraudulent lines of credit. It’s not trivial to perform this sort of fraud at any sort of scale. So mass identity theft may likely be off the table unless the data is being sold piecemeal to multiple actors, which would be a much riskier endeavor for the individuals currently in possession of the information.
It’s more likely that the data will be sold in bulk to a party that can make use of such a large dataset. This means larger surreptitious entities, like organized crime, nation-state espionage, and corporate sabotage.
Think about it. If you’ve got the motivation to plant a mole in a company or governmental department, what better way than to know exactly who would take a bribe? If I wanted to find someone who would be willing to plug a USB drive full of malware into the servers of an organization, all I would need to do is run some queries against my Database Of Everybody and find out which of their employees is drowning in debt. When confronted with an offer of “We’ll pay off your student loans and your mortgage”, how many people do you know who could resist it?
Tinfoil hats or not, this is bad news. I can tell you to keep an eye on your credit reports to make sure nobody’s opening cards in your name, but honestly this is bigger than that.
It’s my hope that this will open a national dialogue into what we can do to prevent this sort of thing in the future, as well as mitigating the potential for illegal use of the data that has already been stolen. I can share CGP Grey’s video on the pitfalls of using Social Security numbers as universal identification all day long but that doesn’t matter if people don’t push to actually start a national conversation about the future of our security.
Time will tell whether this incident leads to the downfall of Equifax. Smart money says “probably not” but that’s because fortune favors the cynical. We can hope that this becomes a cautionary tale into the necessity of proactive security in organizations, but those of you reading this who work in technical positions know how slowly this sort of change takes place at a corporate level. Updates are considered a liability in a distressing number of cases, because apparently the vague threat of updates breaking a production environment supersedes the very real threat of network intrusion. Companies need to be more willing to go down for emergency maintenance in the interest of getting things right rather than blindly hoping they won’t be targeted.
Because seriously, if the security of your data isn’t something you consider intrinsically valuable…
…you’re going to get burnt.