The Equifax Data Breach

AACSB Standards: Data Protection; Application

The Equifax data breach in 2017 was one of the six largest in U.S. history. This case asks you to think about how and why that breach happened.

Equifax is a credit reporting agency (CRA). It collects all sorts of personal and commercial information about individuals and companies. The information is sliced and diced into intelligence reports, which Equifax is able to sell to third parties.

According to security expert Bruce Schneier, the breadth and depth of information that [CRA] data brokers have is astonishing. [They] collect and store billions of data elements covering nearly every US consumer. These brokers collect demographic information: names, addresses, telephone numbers, e-mail addresses, gender, age, marital status, presence and ages of children in household, education level, profession, income level, political affiliation, cars driven, and information about homes and other property. They collect lists of things we've purchased, when we've purchased them, and how we paid for them. They keep track of deaths, divorces, and diseases in our families. They collect everything about what we do on the Internet.

Equifax grew through an acquisition program that started in 2005. In all, eighteen companies were bought, resulting in a huge and very profitable CRA. The acquisitions created an ongoing need to merge disparate legacy information systems. One of these systems was the Automated Consumer Interview System (ACIS), an internet-based portal that was used to communicate with people who were protesting their credit score or other information Equifax had published about them. ACIS data servers were located on computers built by the now out-of-business Sun company. The portals website could not communicate directly with the Sun machines. That task was handled by a middleware program that accepted commands from the website and routed them to the servers in ways the Suns operating system could understand. The middleware was the Apache Struts program.

On March 7, 2017, a vulnerability in the Apache Struts software was discovered. This vulnerability would let a hacker bypass normal firewall controls and gain access to a server. The hacker could then remotely execute code that would download data on the server. The vulnerability was thought to be easy to exploit. Apache created a patch and it notified its customers and the Federal Government, which then broadcast the need to apply the patch within 48 hours.

On March 9, a response team within Equifax alerted over 400 employees: anyone using Apache Struts on their system should apply the patch within 48 hours. Applying a patch to a faulty system is not a difficult task. If Equifax had applied the Apache Struts patch, the data breach would not have occurred. But for various reasons Equifax was not able to do that.

Equifax did not have a master list of software running on its systems, and so it was necessary to scan all of the many internet facing systems throughout the company to find systems that were using Apache Struts. This scan was done on March 9th. No vulnerable systems were identified. It was later learned that the scan was incorrectly done. System root directories were scanned, not the directories were executable programs were stored.

On May 13, attackers entered the ACIS system via the Apache Struts vulnerability. They dropped a web shell into ACIS. This shell let the attackers explore the ACIS file system and database and to remotely execute commands. The attackers found an unencrypted file that listed system administrator names, usernames, and passwords for many systems in Equifax. This let the attackers find and get into 48 company databases. They were able to do this because Equifax databases were not segmented. I.e., in a secure environment, having access to one system (e.g., ACIS) should not imply access to other systems. So, it should not be possible to jump from one database server to another, but the attackers were able to do that. Over the course of 76 days, the attackers created 30 web shells, and executed 9,000 queries on the 48 databases. They located 265 files containing unencrypted personal information. Each of these files was encrypted, compressed, and then downloaded through the ACIS web shell to the attackers location, via the internet.

Equifax had intrusion detection hardware and software in the ACIS system, and should have been able to detect data leaving their system. But, the devices security certificate had lapsed 19 months ago. Security certificates are issued by third parties, which verify that the website is legitimate. The certificate allows trusted communication between a users web browser and a companys web server. Certificates have a lifespan of 27 months, and they can be renewed at a nominal cost. Even with a lapsed certificate, encrypted ACIS traffic could still pass back and forth, but Equifax would be unable to analyze the encrypted traffic.

On July 29, Equifax updated many expired certificates, including the ACIS devices certificate. Security employees immediately noticed suspicious web traffic to and from an IP address in China. On July 30, Equifax identified several ACIS code vulnerabilities. Equifax then shut down the ACIS web portal, and this ended the cyberattack.

On August 2, Equifax hired the cyber forensics firm Mandiant. Working with Mandiant, Equifax was able to compile a list of more than 140 million individuals and companies affected by the breach. Working feverishly in August, Equifax set up a web site and a call center, so that individuals could find out if their data had been compromised and to register affected people for credit monitoring and identity theft services. Equifax announced the data breach to the public on September 7th. The web site and call center were overwhelmed by the volume of requests for information. Only very slowly could people find out if they were affected.

The data breach was investigated by the House of Representatives. In testimony, certain management problems were revealed.

In 2005 the then Chief Information Officer (CIO) and the then Chief Security Officer (CSO) could not get along, and so Security was moved out of IT to the Legal Affairs office. This odd organizational arrangement persisted into 2017. Security was tasked with setting policy, and IT was charged with implementation. Inevitably, communication between the groups was slow or ineffective.

The companys patching policy was a good example of this. By policy, whenever a patch was required (1) the business owner approved system downtime, (2) the system owner applied the patch, and (3) the application owner checked to see if the patch was done correctly. But the company had no list of business owners, system owners, and application owners, so it was never clear who was to do what when a patch was required. Thus, even if the company had been able to identify systems with Apache Struts software in March 2017, it is not clear if the patch would have been applied in a timely manner. Security certificate renewals was another example. The company did not have a certificate renewal management plan. These two issues patches and certificates were identified as problems in a 2015 security audit but the problems went unaddressed. As another example, the company did not use File Integrity Monitoring (FIM) on its servers. FIM software detects changes to network files, or additions of files. FIM would have detected the 30 web shells used by the attackers.

Critical Thinking Questions:

Review the five Consequences of a Successful Cyberattack (see Figure 2.4): direct impact, business disruption, recovery cost, legal consequences, and reputation damage. After the data breach, which of the five are the most likely consequences for the Equifax company?

Review the multi-layered security approach in The CIA Security Triad (see Figure 2.5). What organizational, network, application, end-user, and organizational assets layer faults do you see in Equifaxs security?