On September 7, Equifax, one of the “big three” U.S. credit bureaus, announced a massive data breach impacting an estimated 143 million Americans. Now that preliminary information related to the breach has been released, this CapraPLUS post reflects on what happened, the impacts of the event (both immediate and long-term), and finally important lessons to be learned from the breach.
What Happened in the Equifax Breach?
On July 5, Equifax detected a breach of its internal systems, and on July 29 the firm’s security team confirmed unauthorized access and data extraction from their web servers. The records compromised included social security numbers, birth dates, addresses, driver’s license numbers, and a limited amount of credit card numbers.
Equifax quickly announced their findings to the public on September 7 with limited detail. After further analysis, they found the point of entry to be their Apache web servers, specifically servers running Apache Struts 2 with the CVE-2017-5638 vulnerability exposed to the public. Used by an estimated 65% of Fortune 100 companies, Apache Struts was used by Equifax as a free, open-source MVC framework for creating modern Java web applications.
Apache publicly disclosed CVE-2017-5638 on March 6, 2017, and subsequently released a patch to remediate the security exposure. Forensic analysis of the Equifax breach presented evidence that the attackers gained access to Equifax’s systems around mid-May 2017, providing nearly a two-month window between the patch release and compromise. Nearly 3 months elapsed until the breach was detected and disclosed by Equifax.
Immediate and Long-Term Impacts
Reactions to the breach in traditional media, politics, and social media have been swift and fierce, resulting in the departures of the company’s CEO, CIO, and CISO. As an organization built upon mutual trust, Equifax’s negligence has shattered the foundation of its business and relationships with its customers. There is yet to be any clear indicator if Equifax will be able to fully recover from this event.
Beyond Equifax, the scale and characteristics of the breach will have significant effects on how organizations created trusted relationships with their consumers. Banks can no longer confidently authenticate applications for lines of credit using static identifiers such as social security numbers. Following an already growing trend, fewer consumers will place trust in organizations and their abilities to securely store consumer data and will be more reluctant to provide personal information. Over time, this broader lack of trust in the security and authenticity of static personal information will drive changes in how consumer profiles are authenticated and consumer interactions verified. Implementing more dynamic approaches for authentication and verification will be critical to protecting consumers and organizations.
Lessons To Be Learned
The Equifax breach – along with many other major breaches in recent history – all share the same characteristic: negligent patch management. Most organizations are reluctant to patch immediately due to risk of operational impacts and thus have tremendously slow and rigorous patch cycles. Security teams need to express the importance of more agile patch cycles in order to quickly and efficiently plug security holes. This risk line between Operations and Security must be redefined in accordance with modern threats so that organizations and consumers alike are protected from emerging attacks.