The Equifax cyber security breach is big news right now. Here are a few of the relevant facts:
- The hack involved the personal data from some 143 million US citizens, including names, addresses, social security numbers, dates of birth and driving licence numbers
- The hack was first discovered by Equifax on 29 July, but they only notified customers on 7 September of the breach
- Equifax shares dropped more than 13% in value on the same day that the announcement was made
- The Equifax Chief Information Officer and Chief Security Officer have both lost their jobs as a result of the breach
- The attack vector used in this hack occurred through a vulnerability in Apache Struts, an open-source application framework that supports the Equifax online dispute portal web application
Equifax’s Security team observed suspicious network traffic associated with its U.S. online dispute portal web application on 29 July. The Security team continued to monitor network traffic and observed additional suspicious activity the following day, in response to which the company took offline the affected web application that day. The company’s internal review of the incident continued. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.
On 2 August, Equifax contacted a leading, independent cyber security firm, to assist in conducting a privileged, comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Over several weeks, this firm analyzed available forensic data to identify unauthorized activity on the network. This resulted in the discovery of a large scale data breach and the announcement to customers on 7 September.
It is not yet clear when the Equifax network was first breached and how long it was before they even noticed this. What is clear is that it took them more than a month after they had discovered it to uncover the full extent of the breach and go public. This has given the hackers at least a month to start exploiting the data before potential victims were made aware and could take steps to protect themselves.
This delay is crucial in terms of the potential impact of the hack and exposes Equifax to legal claims from victims who have lost money or suffered as a result. The delay has also caused significant damage to the reputation of Equifax as a company and brand. This is vital to any company, but even more so to one that deals in sensitive personal financial data. The company will do well to survive this incident.
No network can be 100% protected from the threat of a hack, because all networks involve human beings using and administrating them, and this makes them vulnerable. But every network can have in place a behavioural monitoring solution that will immediately spot unusual or suspicious activity, automatically shut down individual user access and be able to quickly alert administrators to the scale of the problem because the entire network is being scanned 24/7.
Equifax clearly did not have such a monitoring solution in place. This would not have prevented the hack based on the application vulnerability, but it would have limited the scale of the damage caused and given the company, and its CIO and CSO, a better chance of surviving the event.
Sonny Sehgal
Head of Cyber Security
