Hello again! This post is our final installment of After the Hack, where we break down a handful of infamous hacks. For each hack, we’ll discuss what happened, how ithappened, and what lessons were learned.
If you’re not caught up on our blog, make sure you check out the previous After the Hack articles, including the 2012 LinkedIn hack and the 2017 Delta Airlines’ breach.
We saved the best (or worst, depending on how you look at it) for last. Today, we’re going to take a look into the nasty 2017 Equifax data breach.
What happened to Equifax in 2017?
In September 2017, Equifax revealed that hackers were able to access the personal data of 146 million Equifax customers. Many of these consumers had social security numbers, birth dates, addresses, and driver’s license numbers compromised.
Not to mention, the credit card information for hundreds of thousands more were put at risk.
Equifax uncovered the breach in August 2017 with the help of Mandiant, a professional cybersecurity firm. With help from Mandiant, Equifax was able to determine a series of breaches had occurred from May 13 through July 30.
Despite having this information, Equifax held off announcing the extent of the damage until September 7, 2017.
Once the announcement made the news, many consumers rushed to the site Equifax dedicated to handling inquiries. To make matters worse, that “inquiry site” wasn’t secure and was essentially an ad for Equifax’s own credit monitoring service.
So, how did Equifax get hacked?
In March 2017, a security hole exploited by the hackers was revealed to Equifax, but the credit company failed to patch its systems.
This security hole enabled hackers to plunder Equifax’s databases with a massive server bug. The vulnerability was Apache Struts CVE-2017-5638. Yes, that sounds like a lot of gibberish. But let’s unpack it.
Apache Struts is a popular server software that medium-to-large companies use as a framework to make it easier for developers to build top-to-bottom custom websites.
The important thing to know is that the Apache Software Foundation, the creators of Apache Struts, released a software update to patch the flaw one day after it was first discovered in March. There were clear and simple instructions to how to remedy the situation.
The Equifax data compromise occurred due to Equifax’s – not Apache’s – failure to install the latest Struts security updates.
By not patching their system, Equifax was a perfect target for hackers. These hackers were able to execute commands as if they were the administrators. They had control of the ENTIRE system.
With unfettered access, the hackers were able to access any kind of data they wanted directly from the database.
Back up a second, what is a patch?
A patch is a software update comprised of code inserted (or patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package.
Why is patching a system important?
Patches do many things– they fix software bugs, address new security vulnerabilities, fix software stability issues, and much more.
The fact that Equifax was attacked in May of 2017 shows that Equifax did not follow the Apache Software Foundation’s advice and did not install the recommended security patch. If they had done so, this breach would not have occurred.
So yes, every little software patch is important.
The legal aftermath.
Lawmakers are still waiting for some action to be taken against Equifax.
While the Bureau of Consumer Financial Protection and the Federal Trade Commission have opened investigations into Equifax’s breach, neither of them have taken any actions.
So far, the company has paid nothing in fines to the government.
However, Equifax agreed to a number of data security rules under a consent order with eight state financial regulators that was announced in June 2018. These states include Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina, and Texas.
If Equifax does not follow specific steps outlined in a data protection policy, the regulators in these eight states will be able to take punitive action.
What about the hackers? Who did it?
There is no information on who the hackers are. We can assume that the hackers are still at large.
Lessons Learned for SMBs.
For businesses of all sizes, the Equifax breach serves as a cautionary tale. Here are our 5 big takeaways for small-to-mid-sized businesses:
1. Software can be vulnerable to security attacks.
Software is written by humans, so naturally, human error comes into play. As a result, unintended flaws may happen, and they may leave an opportunity for an attack from malicious hackers.
2. Have a patch management policy.
A patch management policy is a process of handling all the updates of components within the company’s information system. These include patches for routers, firewalls, servers, operating systems, etc.
In the best cases, a patch management policy will assess, install, test, and document each and every patch.
If you outsource your IT, make sure your managed service provider is held accountable for patching your system.
3. If you have systems in place to scan your network, make sure they actually work.
Once the attackers were in the Equifax network, they remained hidden for nearly three months despite Equifax having scanning technology.
How does that happen? Equifax had an expired digital certificate, which allowed for a specific misconfiguration. The misconfiguration allowed for encrypted traffic to pass through the network without being inspected.
4. Segment your network.
All roads should not lead to Rome – or in this case personal information. In addition to patch management and monitoring, it’s also a smart idea to segment and protect personal information and other sensitive data to reduce risk.
The attackers were able to navigate the Equifax network because the network was relatively flat. That means different Equifax databases could be accessible all on the same network.