Luke Kaelin, Security Solutions Architect at 5thColumn, gives an expert analysis of the Equifax timeline and their handling of the incident.
In case you hadn’t heard on the news, or perhaps don’t use the Internet, Equifax (one of three of major purveyors, marketers, and collectors of all financial data in the U.S.) was hacked. There’s no clear information as to when this actual breach began, but we do know that it was detected on or about July 29th, 2017. Coincidentally, my youngest nieces 4th birthday. I only bring that up as a clever lead-in to a worrying point. These credit bureaus will have an enormous impact on that generation’s lives; if the way that Equifax has handled this breach is any indication, I think they’re in for a pretty tough time.
Here’s what we know.
For the technical side, Equifax engaged the security firm “FireEye”. Which by all accounts, is a great choice for their experience in dealing with breaches of this magnitude. The technical details don’t seem to be the problem here though. The real problem is that Equifax has almost completely exhausted any public good-will they might have had.
We know that the breach could have started as far back as May of 2017, due to a vulnerability in Apache Struts that was being exploited in the wild at the time. Three days after that, some of Equifax’s top executes unloaded millions of dollars in stocks ($1.8m to be exact). Now that could be coincidental, or it could be insider trading. The Federal Trade Commission has opened an investigation into that particular aspect of this whole mess. That doesn’t look too good from the standpoint of one of the 140+ million people that had their financial information exposed. Equifax also waited for two months before announcing the breach to the public.
Any Incident Response team would have told them to come out with a strong and accurate message about the breach. However, Equifax did something else. They put their own business interests before those of millions of people that were harmed. Or at least, that’s how it looks.
First, Equifax created a response website for consumers to visit and find out if their information had been compromised. The site was built on an unpatched WordPress installation and hosted on a completely separate domain from Equifax. Why anyone would do this is beyond anything I could call reasonable. The domain that they used was easily confused with similar domains that could be used for phishing. In fact, one ‘white hat’ hacker actually created a very similar domain to prove this point. To make things worse, Equifax actually tweeted the phishing domain to consumers that were having trouble!
Fortunately, the site was controlled by person with some integrity. A Developer and Security Researcher named Nick Sweeting (@thesquashSH). However, anyone without such altruistic intentions could have used a similar clone to inflict massive damage on consumers with little to no recourse.
Second, Equifax implied in the terms of this website that if you signed up for credit monitoring service for a free year, you would have to agree not to take part in any lawsuit that the breach resulted in. Once again, this may be due to some misguided attempt at protecting Equifax’s business interests or it could be an oversight. It appears that no one put a lot of thought into the creation of the site, but it sure does leave me with a bad feeling about the whole thing. Equifax also, seems to be attempting to make a profit off of their mistakes. The “Free” year of credit monitoring likely won’t do any good. Any decent group of hackers, will simply wait out the year before selling the information or using it for their own profit. Given that the free year ends in an automatic renewal unless you go through the effort of opting out at the end of the year. Combine this with the fact that Equifax intends to continue charging approximately $10 US for credit freezes. Anyone can do the math with this and figure out that Equifax intends to make billions from this breach. This leaves the rest of us in the lurch as to our personal information being dumped on the Dark Web for any nefarious purpose that makes sense.
A number of tangentially related items have been reported in regard to the Equifax hack. Such as an Argentinian site belonging to Equifax allowing outside access to the sites CMS admin page; with a username and password of admin:admin. It seems clear to security experts that Equifax didn’t try very hard to protect the data it had, and feels it has no obligation to protect consumers from its own mistakes.
So, what could they have done better?
Incident response requires that you have a plan for these cases. Write one, keep it updated, practice it at least once a year if not quarterly. Have a policy and make sure it works! Define who will fill the key roles in your IR plan. Make sure they know their part. An organization of Equifax’s size, should have had an IT Security Staff, that was empowered to apply defense-in-depth strategies to the systems that contained valuable data. That team should have been critical to providing the information needed to craft a strong and accurate statement about what was going on. The phishing domain and all-around shadiness of the breach response website should never have been allowed.
That strong and accurate message? It should have meant that they had made mistakes, acted quickly to contain the problem and implement a solution. That message should have included empathetic tones: “We’re going to make this right.”
Instead that message was “We’re the victims! We’ve lost profits! Here is a minimal effort, but you’re on your own.”
I’m not sure where we go from here, clearly large enterprises like Equifax as well as lawmakers, aren’t prepared to handle events like these. The ordinary consumer (some American, some not) is left holding the bag for mistakes that were easily avoidable. While left with the nauseating feeling that there is nothing that we can do about it in the future. It’s definitely an enormous challenge to face.
Ultimately, the response that Equifax brought out in the wake of such a damaging breach was… inadequate to say the least; and lots of people in the Security Community are calling it “Epically Bungled”.
For more information on 5thColumn’s incident response services, please go here.
Luke Kalin has been with 5thColumn since 2016. He has over 16 years of experience in tech and is SANS GSEC certified. If you have questions about this specific incident or article, you can get in touch with Luke on his LinkedIn profile or at email@example.com.
UPDATE: Since this article was written, the CEO of Equifax, Richard Smith, has retired.