Equifax

Photo from Wikimedia Commons

What was the Accusation?

On September 7, 2017, credit reporting agency Equifax reported a cybersecurity breach that had been discovered more than a month prior on July 29th.  Because Equifax houses some of the most personal data available on U.S. citizens in order to assess risk when people apply for loans, the company came under intense criticism from members of Congress, state attorneys general, and people wanting to know if their data had been exposed.  In the report, Equifax  claimed that a total of 143 million people (or nearly all of the U.S. adult population) may have had their data stolen. In order to offer adequate corrective action, the company set up a special website for consumers to get information on whether they were part of the breach and what steps should be taken next.  It also offered a year of free credit monitoring software.  However, consumers complained that the phones were jammed and that they were getting conflicting information from the website and the phone lines.  Equifax also faced scrutiny for taking so long to release the report after first discovering the breach.  Although the specific reasons for the delay are still unknown, three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered the breach. In response to the accusation that company executives waited so that they could unload their shares before the stock plummeted, Equifax said the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.” In an official statement released on the Equifax website, Communications Director Ines Gutzmer blamed the breach on an outside software company named Apache Struts for the vulnerability of the data systems.  Equifax also bolstered its image by referencing the company’s history of successful data protection. Once Equifax shifted blame for the breach on Apache Struts, Vice-President René Gielen issued a statement in defense of the software company.  She argued that the company consistently develops software that are found to have vulnerabilities, but it always fixes those problems once they surface.  Gielen also emphasizes a lack of information at this point to identity where the breach occurred.

Key Apologia Strategies:

Shifting Blame, Corrective Action, Bolstering (Equifax)

Differentiation, Bolstering (Apache Strut)

Video

Transcript

Equifax Official Corporate Statement:

September 7, 2017: Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.

This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes, said Chairman and Chief Executive Officer, Richard F. Smith. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.

Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers all complimentary to U.S. consumers for one year. The website also provides additional information on steps consumers can take to protect their personal information. Equifax recommends that consumers with additional questions visit www.equifaxsecurity2017.com or contact a dedicated call center at 866-447-7559 (Click here for an important update on call times due to Hurricane Irma), which the company set up to assist consumers. The call center is open every day (including weekends) from 7:00 a.m. 1:00 a.m. Eastern time.

In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. Equifax also is in the process of contacting U.S. state and federal regulators and has sent written notifications to all U.S. state attorneys general, which includes Equifax contact information for regulator inquiries.

Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.

CEO Smith said, I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.

About Equifax

Equifax is a global information solutions company that uses trusted unique data, innovative analytics, technology and industry expertise to power organizations and individuals around the world by transforming knowledge into insights that help make more informed business and personal decisions.

Headquartered in Atlanta, Ga., Equifax operates or has investments in 24 countries in North America, Central and South America, Europe and the Asia Pacific region. It is a member of Standard & Poor’s (S&P) 500® Index, and its common stock is traded on the New York Stock Exchange (NYSE) under the symbol EFX. Equifax employs approximately 9,900 employees worldwide.

Forward-Looking Statements

This release contains forward-looking statements and forward-looking information. These statements can be identified by expressions of belief, expectation or intention, as well as estimates and statements that are not historical fact. These statements are based on certain factors and assumptions with respect to the investigation of the cybersecurity incident to date. While the company believes these factors and assumptions to be reasonable based on information currently available, they may prove to be incorrect.

Several factors could cause actual results to differ materially from those expressed or implied in the forward-looking statements, including, but not limited to, the final results of the investigation, including the final scope of the intrusion, the type of information accessed and the number of consumers impacted. A summary of additional risks and uncertainties can be found in our Annual Report on Form 10-K for the year ended December 31, 2016, including without limitation under the captions Item 1. Business Governmental Regulation and Forward-Looking Statements and Item 1A. Risk Factors, and in our other filings with the U.S. Securities and Exchange Commission. Forward-looking statements are given only as at the date of this release and the company disclaims any obligation to update or revise the forward-looking statements, whether as a result of new information, future events or otherwise, except as required by law.

Contacts:

Ines Gutzmer
Corporate Communications
[email protected]
404-885-8555

Apache Struts Statement on Equifax Security Breach:

The Apache Struts Project Management Committee (PMC) would like to comment on the Equifax security breach, its relation to the Apache Struts Web Framework and associated media coverage.

We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time it is not clear which Struts vulnerability would have been utilized, if any. In an online article published on Quartz.com, the assumption was made that the breach could be related to CVE-2017-9805, which was publicly announced on 2017-09-04 along with new Struts Framework software releases to patch this and other vulnerabilities. However, the security breach was already detected in July, which means that the attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time –a so-called Zero-Day-Exploit. If the breach was caused by exploiting CVE-2017-9805, it would have been a Zero-Day-Exploit by that time. The article also states that the CVE-2017-9805 vulnerability exists for nine years now.

We as the Apache Struts PMC want to make clear that the development team puts enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention. In alignment with the Apache security policies, once we get notified of a possible security issue, we privately work with the reporting entity to reproduce and fix the problem and roll out a new release hardened against the found vulnerability. We then publicly announce the problem description and how to fix it. Even if exploit code is known to us, we try to hold back this information for several weeks to give Struts Framework users as much time as possible to patch their software products before exploits will pop up in the wild. However, since vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.

Regarding the assertion that especially CVE-2017-9805 is a nine year old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years. If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier. But this was actually not the case here –we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP. What we saw here is common software engineering business –people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It’s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.

Our general advice to businesses and individuals utilizing Apache Struts as well as any other open or closed source supporting library in their software products and services is as follows:

1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.

2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

3. Any complex software contains flaws. Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.

4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.

5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.

Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax.

For the Apache Struts Project Management Committee,

Rene Gielen
Vice President, Apache Struts

Sources

Apache Struts statement on Equifax security (2017, September 9). Apache Software Foundation. Retrieved from: https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

Brogan, J. (2017, September 8). Equifax’s data breach PR statement, a close reading.  Slate. Retrieved from: http://www.slate.com/blogs/future_tense/2017/09/08/a_close_reading_of_equifax_s_statement_about_its_data_breach.html

Cybersecurity incident & important consumer information (2017, September 7). Retrieved from: https://www.equifaxsecurity2017.com/

Dugan, K. (2017, September 8). Equifax blames giant breach on vendor software flaw. New York Post. Retrieved from: http://nypost.com/2017/09/08/equifax-blames-giant-breach-on-vendor-software-flaw/

Equifax says data from 143 million Americans exposed in hack (2017, September 8). The Telegraph (UK). Retrieved from: http://www.telegraph.co.uk/news/2017/09/07/equifax-says-data-143-million-americans-exposed-hack/

Sweet, K. (2017, September 11).  Getting up to speed on the Equifax data breach scandal. ABC News. Retrieved from: http://abcnews.go.com/Technology/wireStory/speed-equifax-data-breach-scandal-49771561