Equifax Cybersecurity Failings Revealed Following Breach
19.9.2017 securityweek CyberCrime
Shortcomings revealed by researchers and cybersecurity firms following the massive data breach suffered by Equifax show that a successful hacker attack on the credit reporting agency’s systems was inevitable.
Some members of the industry pointed out last week that the company’s Chief Security Officer (CSO) Susan Mauldin was a music major with no educational background in cybersecurity or technology. Mauldin and Chief Information Officer David Webb retired from the company on Friday.
Others dug up old vulnerability reports that the firm had still not addressed and noted the lack of even basic protections on the company’s website. Even the website set up by Equifax to provide information about the breach was riddled with security holes and some services flagged it as a phishing site.
The organization does not have a vulnerability disclosure program that would allow and encourage security experts to responsibly report the flaws they find.
The Apache Struts 2 vulnerability leveraged by cybercriminals to breach Equifax systems had been known and exploited for roughly two months before the attack on the company. Equifax said its security team knew about the flaw and is now trying to determine why an online dispute portal, which served as the initial point of entry, remained unpatched.
Experts pointed out that the Apache Struts flaw is not easy to fix, especially if you have many systems that need patching. However, they believe the problem can be addressed with modern security solutions.
Comodo discovered that more than 388 records of Equifax users and employees are up for sale on the dark web. The information, which includes usernames, passwords and login URLs, was apparently stolen using Pony malware. The security firm pointed out that some Equifax credentials were also exposed in third-party incidents, including the massive LinkedIn and Dropbox breaches.
“From third-party (non-company system) sources, we uncovered that Equifax’s chief privacy officer, CIO, VP of PR and VP of Sales, used all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year. This reveals that they didn’t follow basic security best practices and were lacking a complex password requirement,” Comodo said in a blog post.
Another security incident related to the company was brought to light by security blogger Brian Krebs, who was informed by researchers that an Equifax Argentina employee portal exposed 14,000 records, including credentials and consumer complaints.
The breach, the manner in which the company investigated the incident, and some of these security failings have led to a significant drop in Equifax shares. Before the hack was disclosed, Equifax stock was worth roughly $140, but it has now dropped to $92, and financial experts believe it could plunge as low as $50. The incident has already cost the company nearly $10 billion in market value.