Equifax
What was the Accusation?
On September 7, 2017, credit reporting agency Equifax reported a cybersecurity breach that had been discovered more than a month prior on July 29th. Because Equifax houses some of the most personal data available on U.S. citizens in order to assess risk when people apply for loans, the company came under intense criticism from members of Congress, state attorneys general, and people wanting to know if their data had been exposed. In the report, Equifax claimed that a total of 143 million people (or nearly all of the U.S. adult population) may have had their data stolen. In order to offer adequate corrective action, the company set up a special website for consumers to get information on whether they were part of the breach and what steps should be taken next. It also offered a year of free credit monitoring software. However, consumers complained that the phones were jammed and that they were getting conflicting information from the website and the phone lines. Equifax also faced scrutiny for taking so long to release the report after first discovering the breach. Although the specific reasons for the delay are still unknown, three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered the breach. In response to the accusation that company executives waited so that they could unload their shares before the stock plummeted, Equifax said the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.” In an official statement released on the Equifax website, Communications Director Ines Gutzmer blamed the breach on an outside software company named Apache Struts for the vulnerability of the data systems. Equifax also bolstered its image by referencing the company’s history of successful data protection. Once Equifax shifted blame for the breach on Apache Struts, Vice-President René Gielen issued a statement in defense of the software company. She argued that the company consistently develops software that are found to have vulnerabilities, but it always fixes those problems once they surface. Gielen also emphasizes a lack of information at this point to identity where the breach occurred.
Key Apologia Strategies:
Shifting Blame, Corrective Action, Bolstering (Equifax)
Differentiation, Bolstering (Apache Strut)
Video
Transcript
Equifax Official Corporate Statement:
September 7, 2017: Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Apache Struts Statement on Equifax Security Breach:
The Apache Struts Project Management Committee (PMC) would like to comment on the Equifax security breach, its relation to the Apache Struts Web Framework and associated media coverage.
We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time it is not clear which Struts vulnerability would have been utilized, if any. In an online article published on Quartz.com, the assumption was made that the breach could be related to CVE-2017-9805, which was publicly announced on 2017-09-04 along with new Struts Framework software releases to patch this and other vulnerabilities. However, the security breach was already detected in July, which means that the attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time –a so-called Zero-Day-Exploit. If the breach was caused by exploiting CVE-2017-9805, it would have been a Zero-Day-Exploit by that time. The article also states that the CVE-2017-9805 vulnerability exists for nine years now.
We as the Apache Struts PMC want to make clear that the development team puts enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention. In alignment with the Apache security policies, once we get notified of a possible security issue, we privately work with the reporting entity to reproduce and fix the problem and roll out a new release hardened against the found vulnerability. We then publicly announce the problem description and how to fix it. Even if exploit code is known to us, we try to hold back this information for several weeks to give Struts Framework users as much time as possible to patch their software products before exploits will pop up in the wild. However, since vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.
Regarding the assertion that especially CVE-2017-9805 is a nine year old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years. If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier. But this was actually not the case here –we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP. What we saw here is common software engineering business –people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It’s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.
Our general advice to businesses and individuals utilizing Apache Struts as well as any other open or closed source supporting library in their software products and services is as follows:
1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.
2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.
3. Any complex software contains flaws. Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.
4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.
5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.
Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax.
For the Apache Struts Project Management Committee,
Rene Gielen
Vice President, Apache Struts
Sources
Apache Struts statement on Equifax security (2017, September 9). Apache Software Foundation. Retrieved from: https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
Brogan, J. (2017, September 8). Equifax’s data breach PR statement, a close reading. Slate. Retrieved from: http://www.slate.com/blogs/future_tense/2017/09/08/a_close_reading_of_equifax_s_statement_about_its_data_breach.html
Cybersecurity incident & important consumer information (2017, September 7). Retrieved from: https://www.equifaxsecurity2017.com/
Dugan, K. (2017, September 8). Equifax blames giant breach on vendor software flaw. New York Post. Retrieved from: http://nypost.com/2017/09/08/equifax-blames-giant-breach-on-vendor-software-flaw/
Equifax says data from 143 million Americans exposed in hack (2017, September 8). The Telegraph (UK). Retrieved from: http://www.telegraph.co.uk/news/2017/09/07/equifax-says-data-143-million-americans-exposed-hack/
Sweet, K. (2017, September 11). Getting up to speed on the Equifax data breach scandal. ABC News. Retrieved from: http://abcnews.go.com/Technology/wireStory/speed-equifax-data-breach-scandal-49771561