Patrick Walsh
Originally published at blog.ironcorelabs.com.

How Not To Handle a Breach

Equifax exposed personal data belonging to nearly every US adult with a credit card, around 145 million people. The entire social security number system is compromised and must be reconsidered, as do the regulations surrounding data broker companies like Equifax.

This case is different from many breach cases; here, the data that was stolen wasn’t customer data. Equifax’s customers are companies. Instead, the victims of this breach are actually Equifax’s product.

Security Missteps

I won’t belabor how we got here. It isn’t the interesting part of the story. But let’s quickly recap what went wrong:

1. Patch Problems

The direct cause of the breach was Equifax’s failure to patch their Apache Struts software that had a known and fixed vulnerability.

2. Failure to Properly Encrypt

Software flaws happen. Networks get compromised. The complexity of these systems is such that these things are almost inevitable. Smart companies take their sensitive data and encrypt it so that even if a server is compromised, sensitive data can’t be read by the thieves. Unfortunately, Equifax has acknowledged that all of the stolen data was stored in unencrypted plaintext.

3. Sloppy Practices

Since the breach, Equifax has received a bit of scrutiny. Researchers found Equifax’s Argentinian employee portal allowed login with the credentials “admin/admin”. This site had the plain text passwords of over 100 employees plus details on some 17,000 credit disputes complete with the Argentinian equivalent of Social Security Numbers in plain text in each dispute.

Epic Post-Breach Blunders

Equifax’s response since learning of the compromise is even more instructive than the actual breach itself. We’ve seen many organizations with terrible data breaches who took their responsibility seriously and worked hard and in good faith to address the issue. Equifax is not one of them.

The company seems intent on writing the book on what not to do in a data breach situation.

1. Don’t Wait to Disclose

Breach timeline:

  • March 2017: Apache Struts security update is released
  • May 2017: Equifax is breached
  • July 2017: Breach is discovered
  • August 2017: Execs sell millions of dollars of Equifax stock
  • September 2017: Breach is disclosed

The U.S. has a patchwork of breach disclosure laws across states, and they apply based on where impacted people live. So if anyone in Florida was impacted, and they were, then Florida’s breach disclosure law kicks in. Florida requires notification within 30 days of discovering the breach. Equifax waited 40 days.

In those weeks, they were busy turning the stolen data into a business opportunity for their fraud detecting business. And some execs used the time for what looks a lot like insider trading.

2. Don’t Point Customers to a New Website

As part of their response, Equifax registered a new website, equifaxsecurity2017.com, where they sent people to find out if their information had been stolen.

Security services that monitor for phishing attacks against big brand names like Paypal and Equifax flagged the new domain as malicious and blocked it for customers. This is because usually when someone registers something like paypalsupport.com it’s because they’re trying to get unwary recipients to click a link and visit a malicious website.

In addition, the name of this new website is confusing and easy to forget, which means a malicious person could make a convincing variant of it. In fact, a security researcher proved this point by registering securityequifax2017.com and making it look like the official site. Equifax’s support team actually sent dozens of customers to that fake site on accident. It was lucky the site they pointed to was run by someone making a point. Scammers have registerd 194 other similar sounding websites since the breach was disclosed.

3. Don’t Fake It

On that website, Equifax claimed you could check to see if your data was stolen. But it suggested that data was stolen, even when fake names and social security numbers were entered. And in some cases, it gave different answers depending on whether a person checked from their desktop machine or mobile browser.

Due to the confusing and inaccurate website information, Equifax’s call centers were inundated and few people were able to get through.

4. Don’t Try to Profit From It

In one of their most disgusting moves, Equifax is trying to profit from their incompetence. And unfortunately, they’re likely to succeed. In August, after he knew about the breach, but before disclosing it, the CEO of Equifax gave a speech on the business opportunities ahead for Equifax’s fraud monitoring division. Here’s what we’ve seen from them so far:

a. The company offered impacted (and non-impacted) people a year of their own credit monitoring service for free, after which they automatically bill $17/month. This could net them [over $200m/year] if only a fraction of people sign up.

b. They charged people $10 to freeze their credit reports to stop identity theft. After being publicly shamed, they temporarily turned that off, but still charge to unfreeze.

c. Partner companies like LifeLock, which do little to actually stop or detect fraud, but which give Equifax a kickback, have seen a huge spike in sign-ups since the Equifax breach disclosure.

d. Equifax was deemed by the Federal Government to be the only supplier suited to provide anti-fraud services, which means they are getting multi-million dollar no-bid contracts from agencies like the IRS.

5. Don’t Try To Weasel Out of It

Initially, Equifax added legalese to its new website so that anyone who checked to see if they were affected automatically agreed to their terms-of-service, which included a clause waiving the right to sue in court or participate in a class action suit. It read, “By consenting to submit Your Claims to arbitration, You will be forfeiting your right to participate in any class action.” That move was so disgusting, that they had to backtrack and change the wording.

6. Don’t Shift the Blame

The Chief Information Officer and the Chief Security Officer both quickly “stepped down” — and that’s to be expected. Part of a Security Officer’s job description is to take the fall when something bad happens. In this case, the CEO also eventually resigned (note: he wasn’t terminated for cause). But that didn’t stop him from testifying before congress that a single IT person screwed up by failing to notify the “appropriate IT team.” He also pointed the finger at their patch scanning software.

Worst of all is the attribution game. Folks, whether or not a “nation-state” was responsible for a hack is beside the point. The hints that it could be are beside the point here. Even if a nation-state is responsible, if poor security opened a door, it just doesn’t matter who walked in. The door should have been locked and the valuables inside stored in a safe.

Conclusion

At the end of the day, security wasn’t a priority for Equifax. They didn’t even encrypt the data. Equifax holds detailed information on millions of people, but those people aren’t their customers. They have no control over what data Equifax collects and stores about them. Corporations are the customers. So Equifax has little economic or regulatory incentive to keep their trove of consumer data secure.

Despite the ex-CEO’s claim that “we pride ourselves on being a leader in managing and protecting data,” they just aren’t. This breach isn’t even their first breach this year. They had another breach back in March in their TALX payroll division.

For Equifax, more fraud means more business. And for the CEO, resigning resulted in a windfall of as much as $90 million. Until privacy and security are enforced, we are unlikely to see a slowdown in news like this anytime soon. But let’s hope we don’t have to watch any more post-breach debacles of this scale. That’s very preventable.


Photo credits: Annette Shaff (with modifications)