The Equifax data breach has stunned the cybersecurity world, both for its scale and for the disastrous response to the incident. We’ve seen a number of high-profile data breaches over the last several years, including North Korea’s hack of Sony and subsequent leaking of material in an effort to deter the studio from releasing The Interview. What has occurred at Equifax, however, takes our understanding of just how bad a data breach can be to a whole new level.
The breach at Equifax saw sensitive details for 143 million customers compromised. Among this information was credit card and social security numbers, alongside all the information an individual would need to assume someone’s identity. To put this in perspective, the total population of the United States is 300 million.
Such a serious loss of sensitive data has been a huge embarrassment for the company and their CEO has been forced to step down in the past few days. Speculation is still running rampant as to who is responsible for what industry analysts assumed must have been quite a sophisticated attack to have penetrated the security of such a large, and indeed important, company. However, it has now been revealed that the intrusion might have been a much simpler affair than anyone could have imagined.
Website Application Vulnerability
Company officials posted a statement online a few weeks ago in which they acknowledged the vulnerability that the hackers had exploited. The vulnerability in question is known as Apache Struts CVE-2017-5638. Now this means nothing to you and me, unless you have some specific knowledge of Apache Struts, of course, but a number of cybersecurity professionals quickly picked up on something unusual.
The error message that Equifax was referring to had been patched on March 6th. Equifax claimed that the breach occurred in the middle of May, although this has been challenged by some, even by this timeline, that means it occurred two months after the exploit was fixed and a security patch made available.
Within days of the exploit first being reported, the bug was being exploited on a massive scale. Many websites and security blogs were reporting on it at the time. There was particular concern over the attacks because fixing the exploit is quite an involved process and isn’t as simple as installing a patch, which is how most website security fixes are applied.
Applying the fix required downgrading the version of Apache Struts the user was using and then using this older version to rebuild all the apps. This older version of Struts is prone to a number of bugs that the newer version isn’t, meaning that once the apps are rebuilt using the older version of Struts they need to be extensively tested for bugs and those bugs fixed before the app can be used again.
The Equifax breach almost certainly could have been averted if action had been taken to fix the exploit when it was discovered. The spate of attacks across the internet in the days following the revelation should have been a wake-up call to businesses everywhere. Apparently, the warning wasn’t heeded by Equifax and they are now paying a considerable price.