Web App vulnerability enables Equifax breach affecting up to 143m in US
Web App vulnerability enables Equifax breach affecting up to 143m in US

Cyber-criminals gained unauthorised access to Equifax files in a breach that could affect as many as 143 million consumers in the US, the company said Thursday.

While US consumers seemed to be in the crosshairs in this incident, the company's probe also uncovered unauthorised access to “limited personal information” for some residents in the UK and Canada.

Last night's disclosure cast a wary eye on the timing of a stock sell-off by three Equifax senior executives just three days after the company discovered the breach. Chief Financial Officer John Gamble, President of US Information Solutions Joseph Loughran, and President of Workforce Solutions Rodolfo Ploder sold more than US$ 1.8 million (£1.4 million) of shares, none of which seemed to be attributed to 10b5-1 pre-scheduled trading plans, according to a Bloomberg report

Social Security numbers, birth dates, addresses and driver's licence numbers were among the information accessed during the incident, which occurred between mid-May and July 2017. The hackers also accessed credit card information of about 209,000 US consumers and dispute documents that included personal identifying information for about 182,000 consumers.

Equifax learned of the data breach on 29 July, which it said was the result of exploitation of a US website app, and brought in an outside security firm to do the forensics. 

"It should be noted, also, that this breach did not happen by the more popular social engineering style attacks such as a phishing email compromising an employee's system or a malicious insider leaking the data, but rather, this was due to an application vulnerability in one of their websites," said Nathan Wenzler, chief security strategist at AsTech. "This is something we in the security community continue to see rising, as organisations are getting better and better at defending servers, workstations and laptops, the cyber-criminals simply move on to the next easiest target, which is most commonly the organisation's web applications." 

Wenzler said regardless of industry, it's no longer good enough to just defend internal systems. "More and more, a comprehensive security strategy is absolutely necessary that covers education, technical security controls for servers and other assets, network security and stronger software development practices that create secure applications during development and not tacked on after the fact. Hackers will find the easiest path to steal data, and organisations must be more diligent about making security part of every aspect of their technology infrastructure and development efforts.”

Chris Morales, head of security analytics at Vectra concurred, commenting in an email to SC Media UK, "Enterprises have to realise they cannot address cyber-security by simply spending money on intrusion prevention solutions and instead need to shift investments to detection and response solutions that are being used by today's advanced attackers. The cyber-attackers gained a foothold by seemingly exploiting a web application vulnerability. From there, they most likely escalated privileges, abused credentials and admin protocols, moving laterally through the network, which businesses rarely have the necessary tools to detect.” 

 

For Brian Vecci, Technical Evangelist, Varonis the issue was about knowing where valued information resides and who accesses it. He told SC: “Equifax says the hackers accessed certain files from May to July. That's 2 ½ months of access.  It seems like their data security was focused on their database– but not guarding their website and their files. Too many companies have valuable information making its way into files that don't have the same protection. Once again, we see an organisation that wasn't watching how their data was being accessed ....it shows the company had little idea where their most sensitive data is and probably wasn't monitoring what its users were doing. You can't catch what you can't see, and when you're blind to who's accessing data like this, a breach is inevitable.” 

The “massive, and unfortunate” breach “once again amplifies the need for better application security testing and assurance on a continuous basis,” said CYBRIC CTO Mike Kail. “The status quo isn't working as these types of exploits are becoming all too common." 

 

Incident response is now key says Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, who comments: “All businesses must think about the steps they would take in similar circumstances to investigate a breach, track the data lost and put together a communication plan to customers. Not having a pre-prepared and tested incident response plan causes delay in disclosing data loss which simply opens up the company to further criticism and reputation damage when information is eventually publicised. Moreover, companies have to ensure that they are aware of every outsourcer, business partner or cloud service that may be sharing data, as similar breaches at any of those will have repercussions up the chain.”

Equifax has acknowledged that the incident was a disappointment to a company charged with handling and protecting information.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes," Equifax Chairman and CEO Richard F Smith said. "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.  We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all US consumers, regardless of whether they were impacted by this incident."

The credit information company has created a dedicated website to assist consumers in determining if theirs is among the information affected. They can sign up for ID theft protection and credit monitoring services at the site. Equifax is also mailing out notices to consumers whose credit card numbers or dispute documents containing PII were affected by the breach.

Matt Schultz, senior industry analyst at CreditCards.com advised consumers to be diligent “and not just in the short term,” noting that “bad guys can be very patient, so it's important to keep an eye out long after this story fades from the headlines."

“We think nothing of checking Facebook or Instagram 10 times a day, but many think it is too much to ask to check your bank statements once a week,” said Schultz. “It's not. It's easy to do, doesn't take long and can help you spot problems before they get out of control."

For Andreas Kuehlmann, senior vice president and general manager, Synopsys, Software Integrity Group, the breach should also draw attention to the wider issue of ensuring software is built secure from the outset. He told SC Media UK, “We've grown accustomed to data breaches, but what events like this and the recent ransomware outbreaks bring to light is that the scope and impact of cyber-attacks are intensifying. We are more interconnected and dependent on software than ever, and when that software or those who maintain it are compromised, the consequences are becoming increasingly disruptive. It is imperative that organisations take a more proactive and aggressive stance on security – and it starts with building more secure software.” 

His colleague Dr. Gary McGraw, vice president of security technology, Synopsys, Software Integrity Group, echoed that view, commenting, “In case you were wondering why software security is important, here is yet another lesson why.  When a large database is connected to the Internet through various applications and is not designed and implemented to be secure, things like the Equifax breach happen.”  

 

A couple of other concerns were raised by Raz Rafaeli, CEO of Secret Double Octopus.He emailed SC Media UK to suggest that, "...the breach calls into question the entire model of authentication prevalent in the world of information security today. Utilising user personal details such as mother's maiden names, social security numbers, and other security questions to authenticate users has once again been demonstrated to be an easily circumventable method for hackers to get around."

In addition Rafaeli notes that the Equifax breach highlights the (current) lack of regulations to report cyber-crimes, saying: "The fact that Equifax is just now revealing the breach and has only recently began reaching out to law enforcement and regulators, has made the potential effects of the leak exponentially worse. Victims of of unauthorised data access need to be updated immediately so they may take steps to protect themselves from the effects of exposure, such as cancelling credit cards, and becoming vigilant for sophisticated phishing attempts utilising their personal information."