Equifax Hack

Credit scores are used by financial institutions as a measure of risk involved in lending money to borrowers.

Equifax receives credit scores for millions of people in the USA, Canada and the UK from multiple financial institutions for free.

It then resells the massaged data back to institutions as credit scores for a 90% profit. The company, based in Atlanta, has been in business since 1899.

Between March and September of 2017, hackers stole personal information on over a half the US population from Equifax.

Apache Struts is commonly used in Java web sites to co-ordinate the retrieval of data required to complete an online web page. Struts 1.0 is obsolete with most recent stable release of Struts 2 distributed in September 5, 2017.

Between March and July 2017, there were several fixes published by Apache to remedy vulnerabilities

Equifax failed to take heed and update Struts 2 until July 2017 leaving the threat opened on both Struts security vulnerabilities open for five months.

Vulnerability CVE-2017-9805 provided the hacker with the ability to install remotely executable code to which the hackers took full advantage of.

Bloomberg reports that Mandiant was contracted by Equifax in March 2017 to review security practices. Mandiant reported numerous potential threat vectors but was dismissed by Equifax stating that Mandiant staff were “Undertrained”. How presumptuous – I guess that Equifax is an expert at intrusion detection and avoidance. During the time Equifax and Mandiant were arguing, the hackers were busily embedding themselves in Equifax’s systems.

It appears that there were two teams involved in the hack – one group specialized in entry and the second specialized in roaming about Equifax’s systems, databases and networks. The hackers were able to create their own private networks which blinded Equifax’s’ intrusion detection systems to which Equifax had spent millions on but lacked the expertise to use the new tools. Once the malware was installed, it was too late to prevent any further damage. The hackers stole identity data for 60% of the American population.

One Apache Struts 2.0 flaw enable the capture of corporate data. The flaw was published in Apache’s web site on March 2017 and the next day to the Chinese security website FreeBuff.com and hacking tools such as Metasploit.com. The flaw enabled a hacker to upload and install and run applications. The search for compromised Apache Struts 2 sites was game on.

The hackers had plenty of time to create numerous back door entry points into Equifax’s systems.

The breach became public in September of 2017, yet Equifax had taken no action to advise the public. The CEO failed to communicate the threat to the Board of Directors.

An earlier breach at Equifax enabled hackers to log into Equifax Workforce Solutions, obtain tax records. file fraudulent tax returns and capture bogus refunds.

The stolen data was never provided to Equifax by individuals. They will most likely be unaware of that their identity data has been stolen.

The hackers will merge the data other stolen data such as credit card numbers or driver’s licenses to build a complete record of a person’s identity.

In the USA, the Social Security Number (SSN) serves a proxy for a unique personal identifier.
The SSN however is not unique. If the hackers were attempting to merge SSN with a stolen list of credit cards, there is a chance that several them are owned by more than one person.

Obtaining a new identity will require each person to change their SSN on their employment, tax, credit, health, banking, insurance and government records – not a small task.

Obtaining a new SSN and updating banking accounts and credit cards should be the first order of business to ensure hackers are unable to instigate fraudulent credit card transactions.

Expect more phony fraudulent marketing campaigns such as promises of big tax refunds and fraudulent credit card transactions and change of address scams.

Equifax’s survival is in question as multiple class action lawsuits will be launched totalling billions of dollars in damages.

The company needs to be swept clean starting at the board level along with IT and security management and security practices.  Outsourcing this function would be a logical next step as Equifax has proven to be incompetent.

I’ve always questioned the use of shareware in enterprise systems. The Apache Struts case proves my point. It may be free but free is never free.