Equifax Breach: A Wrap-up?

This is the ninth blog in the running series on the Equifax data breach.

  1. Equif*@#$d: Equifax Breach Response Off To A Rough Start
  2. Equifax Breach: Legal, Vulnerability Blame Game, and the Big Technical Debacle
  3. Equifax Breach: EULAs, Size Doesn’t Matter, and Where’s The Data?
  4. Equifax Breach: The Bigger Picture, Identity, Impact, and Advice
  5. Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup
  6. Equifax Breach: Timeline, International, Patching, Gender, PCI, oh my!
  7. Equifax Breach: Cyber Insurance To The Rescue?!
  8. Equifax Breach: Updated Timeline, Phishing, Regulation, and a Roundup

After recently going for nearly 24 hours without seeing any mention of Equifax of Twitter, it feels like this incident has finally wound down, perhaps fallen out of people’s memory already. Since it has been almost a month since our last update, we’re overdue to give a round-up, and possibly a wrap-up in this blog series. While it has been some time since the last blog, there have certainly been no lack of interesting developments!

Running Timeline

Here are some updates since the last timeline we posted, with additional events for easy reference.

2017-02-14 – Apache notified of the vulnerability (ref: email between RBS / Apache)
2017-02-18 – Apache assigns a CVE ID (ref: email between RBS / Apache)
2017-03-06 – Apache announced and released upgrade to resolve vulnerability (ref)
2017-03-07 – Vulnerability published in VulnDB (ref)
2017-03-07 – Exploit published (ref)
2017-03-10 – MITRE opens up CVE ID with description and 7 references (ref)
2017-03-10 – NVD adds to their database via CVE. No updates since (ref)
2017-03-10 – Alleged Equifax breach occurred according to recent reporting (ref)
2017-03-14 – CERT releases advisory on vulnerability (ref)
2017-03-14 – Equifax says they are aware of the vulnerability (ref)
2017-05-13 – Equifax breach occurred, per statement from the company (ref)
2017-07-29 – Equifax detected breach (ref)
2017-07-30 – Equifax patched the vulnerability (ref)
2017-08-01 – Equifax CFO and Pres. of US Information Solutions both sold stock shares (ref)
2017-08-02 – Equifax President of Workforce Solutions sold stock shares (ref)
2017-08-02 – Equifax contacted Mandiant to help with incident response (ref)
2017-08-10 – Equifax acquires ID Watchdog, an identity theft protection service provider (ref)
2017-09-07 – Equifax notified public of breach (ref)
2017-09-07 – First class-action lawsuit filed against Equifax (ref)
2017-09-15 – Equifax CSO & CIO ‘retire’ (ref)
2017-09-19 – Massachusetts AG files lawsuit against Equifax (ref)
2017-09-20 – Equifax names interim CSO & CIO (ref)
2017-09-24 – Equifax CEO ‘retires’ (ref)
2017-09-27 – Equifax names interim CEO (ref)
2017-10-03 – Equifax CEO Smith testifies to U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection (ref)
2017-10-04 – Equifax CEO Smith testifies to Senate Committee on Banking, Housing, and Urban Affairs (ref)

Equifax Specific Metrics

  • Equifax time to patch: 138 Days
  • Equifax time to notice compromise: 78 Days
  • Equifax time to notify public: 117 Days

Highlights of the Fallout

On October 12, an Equifax web site was found to be serving up adware via a malicious Flash Player download according to Ars Technica. A security researcher who had noticed questionable things on his credit report visited the Equifax site to find that his browser opened up a new tab recommending an Adobe Flash download. Instead of the new tab loading an Adobe web page, it loaded an alternate URL. That site, instead of delivering Adobe Flash, delivered the Adware.Eorezo malware. After investigating, Equifax says that the adware was served up due to a third-party vendor, not a compromise of an Equifax server. This is another reminder to the digital world of the risk that suppliers play and also why many people are increasingly using ad-blockers. Not to be outdone, TransUnion’s Central America website was also found redirecting users to malware.

Earlier this month, news broke that the Internal Revenue Service (IRS) awarded a multi-million dollar fraud-prevention contract to Equifax. Equifax would help the IRS verify taxpayer identities in an effort to help prevent tax-fraud.

The IRS was to pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans. Twitter user @alfredwkng offered some explanation about this ordeal before news came out that the IRS temporarily suspended the contract with Equifax.

As expected, the now-ex CEO of Equifax Richard Smith was summoned to testify in front of the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection on October 3rd and then the Senate Banking Committee on October 4th. During the testimony, Smith made several claims that were interesting and questionable to say the least. First, he confirmed that the compromised data wasn’t encrypted (which is a violation of PCI regulations).

On the suspect side, he also blamed the entire data breach, some 145 million records, on a single IT employee. He stated that one employee did not install a single patch and that caused the entire breach. While at some really low level that may technically be true, throwing one person under the bus is disingenuous to say the least. IT programs should never have a single point of failure like that for starters. As Troy Hunt comments, the one person not patching supposedly led to the breach, caused executive to sell shares, caused Equifax to create a dodgy site for consumers afterwards, and everything else?

While Smith’s testimony was not very helpful and about what many expected, it did provide some amusement. Someone dressed as Rich Uncle Pennybags from the Monopoly board game photobombed parts of the testimony.

As mentioned, Richard Smith is now the ex-CEO of Equifax, announcing his ‘retirement’ after the hearings. Despite there being a clause in Smith’s severance contract saying they have the ‘right’ to withhold his retirement package, that doesn’t seem to have occurred. According to The Hill, he is expected to collect around USD $90 million for his work there, which “adds up to about 63 cents for each customer who was potentially exposed in the company’s data breach”. The SEC filing with details on his severance terms is available if you are curious about the exact details.

The Lawsuits Keep Coming

As expected, more than 30 state law-enforcement authorities have launched investigations into the Equifax breach, as well as cities such as San Francisco and Chicago. Also no surprise, another multi-state class action lawsuit has been filed against Equifax. Doing a PACER search, as of October 25th, there have been 576 lawsuits filed that pertain to Equifax. Unfortunately it does not make it immediately clear how many suits are filed by or against Equifax, but we’re pretty sure a majority are against.

Additional Details on the Breach

Knowing the initial compromise vector of a breach is pretty rare. Companies tend not to publish precise technical details as to how a breach happened despite that information being of great value to other organizations. As such, any technical information about the attack and how the compromise occurred is welcomed by the Information Security industry. Since the breach became public, more information has come out about the compromise.

In an article covering the breach, Bloomberg reported on some of the signs that suggest it was carried out by a Nation-state rather than an individual or single group

[..] as the attack escalated over the following months, that first group—known as an entry crew—handed off to a more sophisticated team of hackers. [..]

The handoff to more sophisticated hackers is among the evidence that led some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions in recent years at giant health insurer Anthem Inc. and the U.S. Office of Personnel Management; both were ultimately attributed to hackers working for Chinese intelligence.

While the current attribution and method of attack doesn’t appear to be disputed, Cory Doctorow wrote an article for BoingBoing that points out another bit of interest:

One thing we can attribute the breach to, though, is bungling. Equifax and Mandiant — its independent security contractor — got into “a squabble” just as the hackers were breaking into Equifax’s systems, and by the time everything had been smoothed over, the attackers had installed 30 web-shells in Equifax’s systems, any one of which would allow attackers to have free run of Equifax’s data.

This tidbit has a healthy dose of irony, as Mandiant is well-known for attributing attacks to the Chinese. While there wasn’t any further details published that described the “squabble”, it is odd to hear that their involvement at Equifax helped create an atmosphere that let Chinese hackers in, further, that certainly doesn’t provide any confidence for customers.

Bloomberg also covered one other small detail that didn’t get a lot of attention but is certainly interesting:

Besides amassing data on nearly every American adult, the hackers also sought information on specific people. It’s not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value.

Finally, and while it may not be directly related to Equifax, Chris Nickerson points out that the recent Deloitte breach, or their involvement, may have contributed to the Equifax breach. Since Deloitte is/was an auditor for Equifax, it makes you wonder if information obtained from Deloitte was used in the Equifax attack or low standards and poor auditing practices was a contributing factor.

Perhaps the biggest story to break recently is from Lorenzo Franceschi-Bicchierai at MotherBoard, who said that Equifax was warned that due to a vulnerability on their site, a researcher was able to access information on every Equifax customer. Worse, the data was not encrypted and did not require anything more than a pedestrian web-based vulnerability known as ‘forced browsing’. That was one of many vulnerabilities that they discovered including some that granted full access to some Equifax servers. After reporting the issues to Equifax, it took them six months to take the vulnerable site down, leaving that information exposed for anyone else that knew the basics of web app testing and poked at the server.

Update Roundup

Here is a laundry list of quick updates:

  • Equifax has since updated its estimates on the number of Brits impacted. Rather than ~ 400 thousand as originally reported, it appears that number is closer to 15.2 million. The current tally of Americans affected is believed to be up ~ 2.5 million, for a total of 145.5 million. Additionally, the information that was leaked may include your salary history according to Brian Krebs.
  • Eric Geller from Politico said that Rob Joyce, Special Assistant to the President and Cybersecurity Coordinator, National Security Council, is considering ways to replace the Social Security Number. That is a hefty challenge of course.
  • Dan Goodin reminds us that both Equifax and Experian are still making it very difficult for consumers to get a simple credit freeze. On a more positive note, Bloomberg reports that the new Equifax CEO, Paulino do Rego Barros Jr., will offer free credit locks for life. Consumers should also look at their state laws. For example, Twitter user Lucky225 pointed out to us that the Colorado Revised Statutes has a section (5-18-112) that states “A consumer reporting agency may not charge a fee for a consumer’s first request to place a security freeze on his or her consumer report.
  • On August 8, CIO Magazine’s Amy Bennett named Equifax Chief Information Officer (CIO) Dave Webb as one of the top 100 CIOs of 2017 for “delivering better business results”.
  • In the “never let them live this down” department, Twitter posted a job opening for a Senior Application Security Engineer and listed one amusing requirement, which was highly debated: Undergraduate degree or equivalent; music composition degree preferred. Of course, Equifax’s social media team still hasn’t scrubbed some of their own Tweets from the day of the breach announcement, thus keeping the irony alive.
  • For those still looking for ways to protect themselves from the breach, make sure you read the fine print! According to the LA Times, LifeLock is offering to protect you… by selling you their service provided by Equifax.

Here are a few updates related to the stock price of Equifax, a follow-up aspect of breaches many are interested in:

  • On September 22, an analyst at Wells Fargo has upgraded Equifax from “Market Perform” to “Outperform” status, following a 31% drop in share price since the first breach announcement. The upgrade was made based on “an attractive entry point for this high-quality consumer credit franchise.” While that may be attractive to those who participate in stocks, we assume consumers would like to go a few days without seeing how people are profiting off the breach, including Equifax, while the average consumer suffers.
  • Despite the Wells Fargo upgrade status, just two days later shares of Equifax were down 2% more after the new executive chairmen of the board was announced. More curious is that 2% drop prompted share trading in Equifax to be halted, despite being down 25% since the disclosure of the breach. No indication of who halted the trading or why.
  • As we have seen historically with many breaches, the initial stock value of the breached entity tends to take a significant hit shortly after the announcement. But in time, often in a matter of months, stock prices tend to slowly climb back to the original price, sometimes higher. Looking at a 3-month snapshot of Equifax, that pattern seems to be emerging.

We will keep tracking the Equifax breach as who knows what new twists and turns await us! But for the most part we don’t expect additional frequent updates at this point.