Equifax made an error that led to one of the largest and most sensitive data breaches of all time, and the mistake was elementary: The credit bureau failed to patch a vulnerability in Apache Struts – a web application development framework – in a timely manner.See Also: How to Scale Your Vendor Risk Management ProgramThe company updated its breach notification on Wednesday, confirming security watchers’ speculations that Struts was involved in the breach, which had been based both on Equifax’s infrastructure
as well as the timing of vulnerabilities in – and patches for – Struts that have come to light this year (see Is Unpatched Apache Struts Flaw to Blame for Equifax Hack?).
To understand the full scope of the attack and breach, Equifax retained a digital forensics investigation firm – reported by ZDNet to be FireEye’s Mandiant unit – and the investigation remains ongoing.
“We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise,” the company says in a statement on its website.
Update from Equifax issued September 13.
While the attack vector is known, Equifax has yet to discuss who may have hacked it. Of course, it may never know.
But Equifax says the unidentified hackers had access to the personal details of 143 million U.S. consumers, as well as an unspecified number of British and Canadian consumers. Names, addresses, Social Security numbers and in some cases, driver’s license numbers, are at risk. The breach also exposed credit card numbers for 209,000 U.S. consumers and credit dispute documentation for 182,000 people (see Equifax: Breach Exposed Data of 143 Million US Consumers).
Patch Was Available
Equifax’s disclosure is likely to increase the pressure now facing the company, which faces Congressional hearings, probes by at least 40 states and dozens of class-action lawsuits (see Equifax Faces Mounting Anger, $70 Billion Lawsuit).
The Federal Trade Commission, which previously refused to comment on whether or not it has launched an investigation of any particular organization, now tells Information Security Media Group that it has made an exception in Equifax’s case. “The FTC typically does not comment on ongoing investigations,” says Peter Kaplan, the FTC’s acting director of public affairs. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”
Security experts say that prompt patching of enterprise applications is a must-do practice, given the ease with which attackers can find and automatically exploit known flaws. Equifax has yet to explain why it delayed patching such critical software.
The exploited vulnerability, CVE-2017-5638, became public on March 6, when Apache released an updated version of Struts that fixed the flaw. Within a day, security analysts saw attacks against websites that were designed to exploit the flaw.
Equifax, meanwhile, says its breach began in mid-May but wasn’t discovered until July 29.
Apache Struts 2, which uses Java Enterprise Edition, is widely used by many organizations, including airlines, car rental companies, e-commerce sites, social networks and government agencies.
The now-patched Struts flaw is among the most dangerous types of vulnerabilities because it allows hackers to remotely exploit the application and access the information that it stores. Given the severity of the flaw, the information security community had warned all users of the open source Apache Struts project software about the danger and severity posed by CVE-2017-5638 and urged them to upgrade to a patched version immediately.
Kevin Beaumont, a U.K.-based security researcher, writes on Wednesday that he repeatedly tweeted about the flaw when it was disclosed, warning of its severity.
“It doesn’t get more serious – with a single web request, people can remotely run code on the web server and access files, potentially (and probably) bypassing all security controls,” Beaumont writes in a blog post.