Our Thoughts On The Equifax Breach Of 2017

Cross Posted from Net Friends

We have been asked by several of our customers what they should do to respond to one of the biggest data breaches ever, the Equifax Breach of 2017 that resulted in the potential loss of sensitive information that could be used for identity theft, impacting just under half of the entire US population, or 143 million people.

Our guidance on a personal level is to assume your identity data held by these credit bureaus has been already compromised or will be soon, and the only preventative and protective actions available to us consumers are setting up credit freezes with the four main credit bureaus, linked here: Equifax, Experian, Innovis and Trans Union.

If you are a business owner or a stakeholder in a business, we recommend you perform an IT Risk Assessment on your business.

There are plenty of articles providing guidance to individuals regarding placing credit freezes or increasing their scrutiny and use of free credit reports; all standard advice given to individuals in the immediate aftermath of an identity theft scare or event. Below is Net Friends expert and candid advice regarding this situation that goes well beyond this standard advice.

At first, we had little to go on about the specifics of the breach. The scant details provided raised the specter that Equifax staff could not determine key facts about the breach, which was almost as troubling to us IT Experts as it was to initially learn of the size and scope of the data that was breached. When scant details are shared about an incident, this usually means that several critical details are unknown or unconfirmed.

On September 13, 5 days after the public learned about the data breach and potentially as many as 60 days since Equifax internal staff learned of the data breach, we were given some information about how the hackers got into Equifax. In their own words: “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

What most consumers need to know is that Equifax, along with thousands of other websites, use Apache Struts and related components (also known as plug-ins) to make their webpages work properly. A good technical overview of both how Apache Struts works and the vulnerability that was exploited in the Equifax attack can be found here . But beyond the details, here’s the main things we all can take away from this incident:

• Regularly updating web servers is critical, from the underlying operating systems running on the servers through each and every plugin that is installed.

• Websites that are of particular concern are those that can regularly obtain or query data, either by collecting it using forms or file uploads, or that present or publish data upon request. These websites need additional protections and regular assessments from a security perspective to test their vulnerabilities.

• Developers of websites need to be on the lookout for security related articles about vulnerabilities and problems with the programs and plugins they use, as several articles like this one from March 2017 and prior were written about the Apache Struts vulnerabilities – a patch wasn’t developed and sent out until early September for this vulnerability, but other steps could have been taken prior to mitigate the risks from this published vulnerability with readily usable workarounds that were made available by March 19, 2017.

Key takeaways here are to remember that your websites are publicly available to anyone in the world, 24 x 7 x 365. Because of their accessibility, they are naturally more vulnerable. If you have a website, you need to make sure it is kept rigorously up-to-date both by your website host provider and your developer. Consider whether your website is of higher risk than others, and whether you need to invest more resources and time into keeping it regularly reviewed and secured by knowledegable professionals through Risk Assessments or Penetration Tests (also known as PenTests).

While it’s tempting to jump to the TrustedID site and sign up for a year of free credit monitoring, consider this first: the website we all were directed to check to see if we were included in the 44% of Americans who were victims of the breach had several key problems at first, such as:

• Problematic and concerning Terms and Conditions, implying your legal rights would be limited if you enrolled in the service (they have since addressed this ).

• Being directed to supply personally identifiable information into a website managed by the very same company that was responsible for a website-related data breach, which brought to mind the saying “Fool me once, shame on you; fool me twice, shame on me…”

• The TrustedID page also produced inaccurate information, such as revealing this note after entering in the full name for a person as “Test” and six-digits of this fictitious person’s social security number as “123456”: “Based on the information provided, we believe that your personal information may have been impacted by this incident.” – hard to have high confidence that the site was giving viable results.

• The website Equifax hastily setup wasn’t something readily trustworthy like checkmycredit.equifax.com,which would have clearly indicated it was a webpage owned and managed by equifax.com. What Equifax did was register a new website address to publish updates and guidance with the address: https://www.equifaxsecurity2017.com/. In the aftermath of a major event there’s a lot of misinformation, and it’s clear that Equifax was trying to create a single place where consumers could go to get information about this breach. However, new website addresses setup immediately after a major breach could just as well have been setup by criminals exploiting the immediate panic from the breach, and prey on people seeking more information.

• These issues and several others helped give rise to lots of fear, uncertainty, and doubt on social media and elsewhere about whether children were impacted by this breach and other concerns. Our take on these uncertainties about children being impacted is that they are likely true, but overstated. What we mean is that your children are very unlikely to have data at Equifax unless someone in your family already leveraged your kid’s identity to setup loans or utilities in your kids name or if your kids are already a victim of identity theft. If neither of these are the case, then it is not likely your kids are implicated.

The TrustedID site might be a valid portal for enrolling in a valid credit protection service with Equifax, but the 4 main problems above make it difficult for Net Friends to advise customers to take advantage of these services or to use the TrustedID site. The logic behind how the site was setup and how it appears to be working elevate our concerns that participating in the services that are offered there will be effective in providing useful protections.

Sadly, we are not Equifax’s top priority as Americans and consumers. Equifax is in business to sell products to banks and other businesses who are assessing the credit worthiness of each of us. The credit bureaus (such as Equifax, Experian, Innovis, and TransUnion) are not incentivized to service our needs. Contrast the credit bureaus with Amazon or Walmart, two mega companies who would perish or be out competed if they didn’t prioritize the consumer experience and perception.

While this may sound cynical, based on the current incentives of the credit bureaus they are likely going to prioritize avoiding increased oversight and regulation by Federal and State government agencies as much as or even more than they will focus their energies on strengthening their system security and data integrity. Meaning they might spend as much or more on lobbying Congress as they will on improving cyber security.

If this incident has sufficiently weakened your trust in our credit bureaus but you don’t want to just run from the world or revert entirely to dealing in cash, there are still several steps you can take that we will elaborate on in future posts. At the end of the day, this Equifax data breach appears to be a standard data breach in that there was a vulnerability in some software that was exploited by a hacker to gain access to data they shouldn’t have.

We will repeat what we stated at the top of this article verbatim:
Our guidance on a personal level is to assume your identity data held by these credit bureaus has been already compromised or will be soon, and the only preventative and protective actions available to us consumers are setting up credit freezes with the four main credit bureaus, linked here: Equifax, Experian, Innovis and Trans Union .

If you are a business owner or a stakeholder in a business, we recommend you perform an IT Risk Assessment on your business.

If you have additional concerns, contact us to discuss and engage with our experts! We are in a terrific position to help you secure your website, assess your risks and company security approach, and help you continue to do what you do best while you work within our increasingly interconnected world.