Equifax Data Breach: Let the Blame Game Begin

By Christopher W. Folk (LAW ’17)

In the data breach, Equifax blames Apache >>> Apache rebuts—In the end consumers still lose

(Re-published from Crossroads: Cybersecurity Law & Policy | Sept. 11, 2017) In the wake of a massive data breach, Equifax appears to be blaming a vulnerability in the Apache Software Foundation’s Apache Struts Web Framework, according to a post on Apache.org.  

The Apache Struts Project Management Committee’s post goes on to say that the assumption that the Equifax breach may have relied on a vulnerability in the struts framework that was discovered on Sept. 4, 2017. The post posits that this indicates that if the attackers relied on this vulnerability this would be a zero-day exploit since the issue was not detected until well after the attacks which took place starting in mid-May of 2017.  Furthermore, the PMC’s post asserts that this particular exploit outlined in CVE-2017-9805 may have existed for nine years; however, it was not a known issue during that timeframe and in fact the PMC asserts that as soon as Apache became aware of the issue a fix was developed and made available.

PMC’s post goes on to outline a few key steps that businesses and individuals using Apache struts (or any other supporting software) should implement:

  1. Inventory the frameworks and libraries you are using in your software development and products and maintain visibility into new releases, patches, vulnerabilities, etc.
  2. For each of those, create and utilize a process to test and roll-out security fixes in shorter time-periods (e.g. days vs. weeks).
  3. Don’t build your products on the assumption that the software you are using is flawless.
  4. Create security layers: don’t create a situation where a breach from the presentation (e.g., webpage layer) can endanger underlying back-end data.
  5. Establish baselines to monitor for unusual traffic or data flows which will help to identify network anomalies and potential intrusions and exfiltrations.

By way of comment, I have written an open letter to Equifax …

Dear Equifax:

Please wake up and realize that finger-pointing, trying to blame Apache or any other software products—in addition to the incredibly poor-timing of the executive stock option sales before this breach was made public—are not going to help you in the court of public opinion, nor in any court of law where jurors may sit.

As a consumer, and a business professional, it would have been reassuring to learn that the breach was only to grab encrypted records, since that is how you should be storing our data, or to learn that you were giving those executives the boot since the mere appearance of impropriety was tantamount to deceit and malfeasance.  However, you chose instead to state that the executives had no idea there had been a breach days after it was discovered (in spite of the fact that the breach had been underway since mid-May) and then to assert that it wasn’t really your fault since the attacker used an exploit to exfiltrate unencrypted records.  

Furthermore, if you had performed input validation or sanitization then the vulnerability in struts could not have been exploited in the first place (see this post from Imperva).

Needless to say, at this early stage in the game, your handling of this breach ever since it has been discovered appears to be a case study in what not to do.  As your shares continue their downward movement and as consumers and businesses alike start to realize the repercussions of this breach, it is unlikely that you have issued a single statement or taken a single step to help yourself, or your consumers and users.

Several days after the breach was disclosed, some Equifax executives were able to sell their stock at around $145 to $146 per share. Today (Sept. 11) Equifax shares closed at $113.12.  Meanwhile 143 million of us are waiting to sign up for “free” credit monitoring so we can see when someone tries to use this data to steal our identities.  However, as the government OPM breach taught us, data is worth so much more than just identify theft.  Once you get enough data points on a person, the sky’s the limit.

In short, “thanks” for encrypting our precious data, which would have cost you a little bit of money and would have slowed down some of your back-end processes but would have made the attackers work a whole lot harder to grab our data (in a readable and usable format).

Sincerely,

John Q. Public

Christopher W. Folk is a 2017 graduate of SU College of Law.