Home SecurityData Breach Equifax data breach FAQ: What happened, who was affected, what was the impact?

Equifax data breach FAQ: What happened, who was affected, what was the impact?

by

In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, one of the credit reporting agencies that assess the financial health of nearly everyone in the United States.

As we’ll see, the breach spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the breach, and top executives were accused of corruption in the aftermath. And the question of who was behind the breach has serious implications for the global political landscape.

How did the Equifax breach happen?

Like plane crashes, major infosec disasters are typically the result of multiple failures. The Equifax breach investigation highlighted a number of security lapses that allowed attackers to enter supposedly secure systems and exfiltrate terabytes of data.

Most of the discussion in this section and the subsequent one comes from two documents: A detailed report from the U.S. General Accounting Office, and an in-depth analysis from Bloomberg Businessweek based on sources inside the investigation. A top-level picture of how the Equifax data breach happened looks like this:

  • The company was initially hacked via a consumer complaint web portal, with the attackers using a widely known vulnerability that should have been patched but, due to failures in Equifax’s internal processes, wasn’t.
  • The attackers were able to move from the web portal to other servers because the systems weren’t adequately segmented from one another, and they were able to find usernames and passwords stored in plain text that then allowed them to access still further systems.
  • The attackers pulled data out of the network in encrypted form undetected for months because Experian had crucially failed to renew an encryption certificate on one of their internal security tools.
  • Experian did not publicize the breach until more than a month after they discovered it had happened; stock sales by top executives around this time gave rise to accusations of insider trading.

To understand how exactly all these crises intersected, let’s take a look at how the events unfolded.

When did the Equifax breach happen?

The crisis began in March of 2017. In that month, a vulnerability, dubbed CVE-2017-5638, was discovered in Apache Struts, an open source development framework for creating enterprise Java applications that Equifax, along with thousands of other websites, uses. If attackers sent HTTP requests with malicious code tucked into the content-type header, Struts could be tricked into executing that code, and potentially opening up the system Struts was running on to further intrusion. On March 7, the Apache Software Foundation released a patch for the vulnerabilities; on March 9, Equifax administrators were told to apply the patch to any affected systems, but the employee who should have done so didn’t. Equifax’s IT department ran a series of scans that were supposed to identify unpatched systems on March 15; there were in fact multiple vulnerable systems, including the aforementioned web portal, but the scans seemed to have not worked, and none of the vulnerable systems were flagged or patched.

Source link

Related Articles

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More