Washington must get to ‘dirty bottom’ of Equifax data breach

Senate minority leader calls for hearings and says scandal is worst since Enron

Data breach: A monitor displays Equifax signage on the floor of the New York Stock Exchange (NYSE). Photograph: Michael Nagle/Bloomberg
Data breach: A monitor displays Equifax signage on the floor of the New York Stock Exchange (NYSE). Photograph: Michael Nagle/Bloomberg

Equifax tumbled in New York trading on Thursday after saying the hackers that stole data on 143 million US consumers exploited a vulnerability that the company could have fixed two months before it was breached.

The disclosure suggests that Equifax may have been slow to take basic steps to secure its most sensitive data, and will likely add to calls for stronger oversight of an industry whose information in the hands of criminals can enable the worst kinds of identity theft and fraud.

The company faces a Federal Trade Commission investigation and calls to testify before Congress.

“The vulnerability was Apache Struts CVE-2017-5638,” Equifax said in a frequently-asked-questions section of a website it set up to help people affected.

READ SOME MORE

The Apache Software Foundation, which oversees the open-source software, had issued a patch for the flaw in March. Equifax said it discovered the breach on July 29th and that it had been occurring since mid-May.

The data breach is “one of the most egregious examples of corporate malfeasance since Enron,” Senate minority leader Chuck Schumer said Thursday. He added that the company’s chief executive and board should quit if they don’t act to address the situation within a week, .

“We need to get to the bottom of this, the murky bottom, the dirty bottom,” the New York Democrat said in calling for Senate hearings on hackers’ theft of data.

Enron, the Texas energy trader, collapsed in 2001 after lying about its finances.

Equifax fell 4.7 per cent to $94.34 at 10.38 am in New York. The stock has dropped 34 per cent since the company announced last week that hackers accessed sensitive data including social security numbers. That’s the worst four-day decline in the company’s history.

Shares of rival Experian, which trade in London, dropped as much as 6.4 per cent on Thursday.

Investigation

The FTC said it is investigating Equifax’s breach. The agency typically doesn’t comment on ongoing investigations, but confirmed the inquiry in light of “intense public interest and the potential impact of this matter”.

The Apache software is widely used by companies to help build websites. The two-month gap between when the patch was issued and when the attackers breached Equifax’s network was a particularly dangerous time, as hackers began immediately exploiting the flaw on websites that didn’t apply the fix, according to technology website Ars Technica.

“The Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” the Apache Software Foundation said in a statement on its website.

But security professionals say many companies take weeks or even months to apply software patches, as applications need to be tested to ensure the updates don’t break existing code.

Apache Struts software is especially time-consuming to update because each application needs to be fixed individually. But a delay of several months to remove a high-priority vulnerability is generally considered a dangerous security practice.

“If this is indeed a capital offense, then I’d say that the majority of organisations are guilty,” said Rick Holland, vice president of strategy at Digital Shadows, a cyber-intelligence firm with offices in London and San Francisco.

“It is easy to Monday-morning quarterback and say, ‘Why didn’t you patch?’ The pragmatic reality for many organisations is that patching doesn’t occur as quickly as one would like.”

Crown jewels

The bigger question to many cyber-security experts is why some of Equifax’s crown jewels were accessible essentially from the open internet, a question that Equifax has not addressed.

The company hasn’t specified when it sought to patch the flaw, or what other mechanisms the attackers used once inside the network to access the consumer data. The vulnerability was a critical weakness for many large websites that were built using the software.

In announcing the incident on September 7th, Equifax initially blamed a “website application” that it didn’t identify.

Rene Gielen, vice president at the Apache Software Foundation, said in an email Thursday that the group doesn’t have reliable information on how long it takes companies to apply patches for vulnerabilities.

While firms usually act within hours or days after an announcement, some companies don’t patch for years, he said.

“If a company has a data breach, like a Home Depot or whatever, they can sell hammers, nails, wood, whatever and generate revenue,” Jeff Dodge, senior vice president of investor relations at Equifax, said at an investor conference in November.

“We have a data breach, we’re not in too good a shape out of that, right? So data security and how we go about ensuring that is something we spend a lot of time and effort on.”

- Bloomberg