It took Equifax 141 days to discover a breach that exposed the data of 143 million US consumers with hackers likely accessing the credit monitoring firm's systems in March, a full two months before Equifax originally said they did.
A confidential correspondence sent by FireEye's Mandiant, which was brought in to investigate the breach, to some Equifax customers, said the initial “interaction” was likely 10 March, according to a report in the Wall Street Journal.
The hackers, who exploited a vulnerability in Apache Struts, reportedly accessed the Equifax network by obtaining a user name after typing the “Whoami” command on one of the company's servers and embarking on what one source told the Journal was a “months-long reconnaissance mission.”
Lev Lesokhin, executive vice president of strategy and analytics at CAST, maintains that Equifax missed the opportunity to prepare for a breach but others should not. “The recent conventional wisdom is that it's the human factor that's the weakest point in security,” Lesokhin said. “But with sophisticated spear-phishing, this is no longer the case – businesses must ensure that the architecture itself is secure.”
Noting that “retail and financial services each on average have 91 weaknesses in application security (the same weakness that did Equifax in),” Lesokhin said, “this is something that needs to be addressed now - if phishing stopped today, companies are still vulnerable if attacked in the last five years.”