This article is written by Devangi Vatsaraj pursuing an MBA (Data Protection and Privacy Management) at Lawsikho. This article has been edited by Ojuswi (Associate, Lawsikho).
This article has been published by Sneha Mahawar.
Table of Contents
Introduction
Equifax Inc. is an American multinational consumer credit reporting agency with its headquarter in Atlanta, Georgia and operates in about twenty-four countries in the United State of America, Europe, and the Asia Pacific. The company collects and aggregates data on over 800 million individuals and more than 88 million businesses worldwide. In furtherance of its main goal, Equifax sells credit monitoring and fraud prevention services directly to consumers.
In March 2017, personal data or personally identifying data of hundreds of millions of individuals was stolen from the systems of Equifax and the consequent breach investigation highlighted that several security lapses allowed attackers to enter the systems and carry out unauthorized extract & transfer of terabytes of data.
How did the breach happen
Detailed analysis of how the data was compromised has been done at many levels and various scholars have rightly pointed out key takeaways from the incident. In this article, we’ll discuss a general layout of what the Equifax data breach looks like. For further reading, detailed reports from U.S. General Accounting Office and Bloomberg Business week may be referred to. The broad points of how the incident occurred are as follows:
- At the initial stage of the incident, Equifax was hacked through its consumer-complaint portal. The weakness penetrated by the attackers was such, that which was widely known and could have been easily patched by the company but due to a lack of perseverance and multiple layers of failure, compliance was not adhered to.
- Once the attackers were able to access the systems, they were able to travel their way from one system to another, locating data and exfiltrating the same. The attackers were able to trace out the usernames and passwords stored in a readable format, without any encryption; and the same was used to acquire more personal and/or personally identifiable data.
- The attackers then encrypted all the data of Equifax’s consumers and pulled out the same. This incident went unnoticed by the Company for months because the Company had failed to renew its certification on its security tools.
- Thereafter, the Company did not publicize the data breach for more than a month and this time gap allowed its top executives to trade their stocks resulting in insider trading.
Type of data compromised and number of individuals affected
It is not disputed that personal/personally identifiable data is collected and processed by the Company and through this data breach, information such as names, addresses, date of birth, social security numbers, etc. have been compromised. It is estimated that the data breach has affected about 143 million people, of which about forty percent of the population belongs/resides in the USA. Further, people who were regular users of the Company’s services and had directly paid the Company to check their credit report; and are estimated to be about two lakh individuals, were victims of a breach in the form of an attack on their credit card details.
When did the breach happen
In March 2017, the vulnerability was discovered in Apache Struts (an open-source development framework for creating enterprise Java applications that Equifax). This is when the crisis began. On March 7, 2017, the Apache Software Foundation released a patch for the vulnerabilities and on March 9, 2017, Equifax administrators were told to apply the patch to any affected systems; however, the employee in charge of the same failed to take action on the same. This would mean that, if an attacker sent an HTTP request with malicious code masked in a body of content, Struts could be tricked into executing that code, which would potentially open up the systems.
On March 15, 2017, Equifax’s IT department ran a series of scans to identify un-patched systems and it appears that these scans were not successful since none of the vulnerabilities was flagged. However, there were multiple vulnerabilities including ones on the consumer-complaint portal. Anxious about the series of incidents and intimidated by the probable consequences, Equifax hired a security consulting firm, Mandiant, to access its systems. Upon a thorough examination, Equifax was warned about the multiple open patches and unaligned network systems, however, out of spite between the two businesses, the potential vulnerabilities were left unattended.
Upon forensics examination, it was revealed that the first data breach occurred on the complaint portal due to the Struts vulnerability on March 10, 2017. However, it was only May 13, 2017, when the attackers started moving the data; this was reported as a separate incident by the Company in its statement. It is quite unclear whether this was a separate incident or the continuation of the same compromise, and why did the attackers not do anything immediately; it remains unanswered. Further, the intention of the attackers was still not clear considering that the people were embracing the potential misuse of their data, but nothing ever happened.
Throughout the following months, specifically from May 2017 through July 2017, the attackers gained access to databases containing hundreds of millions of people’s personal/personally identifiable data. As stated earlier, the attackers moved out the data but the question arises how did this go unidentified? As these industry giants do, Equifax has the resources to decrypt, analyze and re-encrypt the data; these techniques need a public key purchased from a third-party vendor and must be certified annually. Equifax failed to renew its certification, which means that its encrypted data was without being noticed and this gave the attackers a smooth transition to move the encrypted data without being noticed. This was brought to light on July 29, 2017; around the same time when the officials of the Company learnt about the compromise of data. The Company did not inform the affected individuals promptly, instead took about a month to carry out its internal investigation; thereafter publishing the breach on September 8, 2017. In August 2017, the stock market became suspicious because many of the Company’s stocks were sold by its top executives. This was alleged insider trading; many were acquitted while some executives were charged with the crime.
How did Equifax handle the breach
Equifax’s reaction to the occurrence of this incident was not great. The Company dictated a separate domain, equifaxsecurity2017.com, to host information and resources for the potentially affected victims. Further, the social media handles of the Company erroneously directed individuals to securityequifax2017.com; fortunately, the website administrator had no ill intentions with people’s data and directed about two lakh visitors to the correct website.
Meanwhile, the domain setup by the Company was criticised by many; with observations that such alternate domains are often used for scams and asking people to trust such a domain was a huge failure, considering that the need for such domain arose after the data breach. Also, the language on the domain, which was later retracted by Company, implied that just by checking whether or not an individual was affected by the breach, they would automatically waive off their right to sue the Company. Moreover, if an individual was affected, they were directed to enroll in an Equifax ID protection service stating that such service was free of cost. The question here was, a domain that looks like a scamming portal, automatic waiver of rights, provision of protection – for free; but how much can an individual trust such a Company at this point?
Lessons learnt from the Equifax data breach
After the breach, Equifax had agreed to enter into a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 states and territories in the US. The settlement amounts to $425 million, which will be used to help people affected by the data breach.
With the discussion of what was the breach and how it happened, let us discuss some of the key takeaways from the incident:
Security measures
Not that Equifax did not have the resources but even if we consider that some small-sized organization does not have the means to invest in modern-day IT systems, at least some due diligence must be done to ensure that the legacy systems are protected. A system that stores customer and corporate data should not be built from a legacy system, but rather from tools and solutions that permit upgrades, automation and security updates. Equifax didn’t just fail to secure its network; it failed in its response mechanism too. Organizations fail to understand that security is not just about technical controls, it is also essential to have administrative procedures in place so that technical and physical policies, such as vulnerability management, configuration hardening and change control; are monitored.
Patch management
It is of utmost importance that system owners follow a structurally defined process when it comes to patching vulnerabilities, and assess each against its assets. From what is understood, Equifax did scan their Apache Struts servers before the breach, however, did not find any vulnerability. Avoidance is not going to help the Company; instead, it should take reasonable actions at all times, to protect the data. Some of the best practices would be to take a second opinion, and run the patches through another tool to validate the findings; the systems must be upgraded to their latest versions, and risks to be understood and mitigated. Being reasonable, we can agree that risks can never be eradicated, however, they must be looked into and brought to the organization policy’s acceptable level.
It is further important to establish and maintain an inventory of assets, map these assets to a designated owner, evaluate the risk associated with the asset, and make such designated owners accountable and responsible for the security of their assets.
Certificate management
One of the most essential insights is that organizations must focus on their internal management. Had the staff renewed the certification on their security tools, the breach would likely not take place; this was an absolute failure on the Company’s part to divide the roles and responsibilities. There are a couple of tools in the market that allow an organization to auto-renew the certifications.
Network segmentation
Equifax had not segregated its systems, i.e., separation of the network containing personal and critical data from the rest of the networks. This led to the attackers gaining access to the whole of the Company’s network and could steal all the data as per their control. It is necessary to ensure that only certain staff members have access to critical data; that employees should have access to only such data that is required to fulfill their purpose and it should also be ensured that the employees do not have any means to communicate the data outside of their environment.
Host monitoring
During the investigations and as mentioned in various reports, it was identified that various unique web shells were installed by the attackers and these were used to exfiltrate data from numerous parts of the network, completely undetected. There was no reliability in monitoring Equifax’s legacy systems, which helped the attackers to modify, create, and copy personal/personally identifiable data. Further, due to a lack of host monitoring, Equifax could not detect any malicious activity on their network.
Incident response plan
It is evident that while there may have been an incident response process, it was not followed properly, as it should have been, by all the staff members involved in the incident. It is also noted that due to lack of clear communication between the staff members and the Company’s executives; led to the sloppy decisions made, affecting hundreds of millions of individuals. It would be suggested that no matter the size of an organization, they should go through a practice incident response and bring forth any red flags to the current plan. Even if an organization outsources its incident response mechanism, it is still essential to follow the process and ensure that each staff member is involved and is aware of their role and responsibility.
Process and procedure
Equifax has admitted that it was aware of the breach for a full two months before the Company published the incident of comprising data. It was also remarkable to mark that the Company’s security function moved from being with the CIO to the office of the CLO. This highlights that the Company lacks a documented plan, procedure and policy to deal with risks. Instead, the organizations should have a plan for dealing with such security breaches and all departments involved in dealing with data, should learn what actions should be taken.
Train the staff members
Another key takeaway from the Equifax data breach is that customer data must be handled as carefully as its network. An organization must ensure that its staff members are well-trained to handle personal, sensitive and critical data. They must also be provided with regular training and sessions on vulnerability management, and response to attacks and be informed about other ways in which the attackers try to steal data from the systems. It is also a good practice to engage with experts from the field, which helps the organization be abreast of the developments.
Conclusion
Equifax might be one of the examples of data breaches, but many organizations fall prey to the same incident. It is stated many times that cybersecurity is a people’s problem, not an IT problem but the protection of personal data is a long-term concern. Equifax data breach was a result of failures at many levels; some human-based and others technological errors. Such errors can be remediated by having proper policies and procedures followed; for instance, the introduction of GDPR in the Europe Union and CCPA in California. It is for the best that rather than waiting for a situation such as one faced by Equifax, organizations must take a proactive approach towards their security program, rather than being reactive towards the same.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.