In 2017, consumer reporting agency Equifax was breached, and the credit records of more than 140 million consumers—more than half the adults in the United States at the time—were extracted by hackers. This data included names, addresses, phone numbers, dates of birth and social security numbers, and in some cases, the person’s driver’s license number.
Equifax is one of the big three consumer reporting agencies, along with Transunion and Experian. Whenever you open a credit card or take out a loan from a bank, it’s reported to one of these agencies—actually usually all of them, whether you want it to be reported or not. Consumers cannot opt out.
In hindsight, Equifax made several missteps, ones we can all learn from when putting together a cybersecurity plan.
The Apache Struts patch
Equifax uses Apache Struts for many of its systems. In early 2017, Apache put out a patch for a serious vulnerability in one of its versions, where an attacker could upload malware via a customer form. The vulnerability was considered so severe that even the Department of Homeland Security put out an advisory about it.
Equifax was informed of this patch in March of 2017, but they didn’t implement it because they didn’t know they had any Apache Struts systems of that version. And the reason they didn’t know they had any vulnerable Apache Struts systems was because of a …
Lack of inventory management
Equifax had acquired a number of companies in the previous 15 years, and didn’t unify systems across all these companies. They also didn’t have a full inventory of all these systems, and what each of them were doing in the way of cybersecurity.
Because they didn’t have an inventory, a list of hardware and software, they didn’t know whether there were any vulnerable Apache Struts in their vast network.
In lieu of an inventory, they had an email list of all personnel responsible for cybersecurity, and an email was sent out to all these personnel advising them of the patch and the need to implement it. But this approach failed to reach everyone with a vulnerable system because of…
Out-of-date contact info for cybersecurity personnel
The email went out, but it didn’t reach all the persons it needed to. Not everyone involved in cybersecurity was on the list.
So the Apache Struts patch didn’t go in where it should have, and that left Equifax’s systems vulnerable.
The hack
It didn’t take hackers long to find a customer portal on the Equifax system where they could upload malware that they could use to let them into the system.
Once in the system, hackers found passwords stored in plain text, and databases that weren’t segmented, giving hackers access to one database after another.
To get the data out, hackers took advantage of a misconfigured router—if it couldn’t decrypt data to inspect it, it just let it pass on through. Hackers used an expired certificate to encrypt the data, and since the router wasn’t configured to decrypt and inspect data encrypted with that certificate, it just let it pass on out to the internet.
Discovery of the hack
The hack was discovered nearly five months later, in late July 2017, when one of the Equifax security staff checked the traffic going out of the router, and saw what was happening.
The router was shut down, the exfiltration was stopped, and then Equifax assessed the damage.
Lessons learned
What can we learn from the Equifax breach?
- Maintain a thorough inventory of all your hardware and software.
- Have a patch plan, and put in the important patches as soon as possible.
- Expired certificates can be used for all kinds of nefarious purposes, so either renew them or get rid of them.
- Don’t leave plain text passwords on your system. They should be encrypted.
- Don’t leave any equipment or software at its default configuration. Look over every single option.
- Segment databases so any hacker that breaches one area of the system can’t get at the rest of it.
Sadly, many companies don’t put value on these lessons, and continue to make these same mistakes.
