We’ve recently learned the Equifax breach in May-July exploited a known Apache Struts bug that was patched in March. Using Equifax’s investor press releases, we can see what they were up to over the period when they should have been fixing this bug. In addition let’s look at what they were doing during the period in which they should have disclosed it to the millions of people whose personally identifiable information (PII) they irresponsibly handled. All dates are 2017 unless otherwise noted.
April 17, 2016 through March 29, 2017: As reported by NPR in May of 2017, through an Equifax subsidiary called TALX, hackers were able to “reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions.”
April 27th, 2016: Grocery store chain Kroger learned that hackers accessed W2 forms as a result of a security vulnerability in an Equifax subsidiary’s website.
May 24th, 2016: A store manager at an Atlanta, Georgia Kroger filed a federal lawsuit against Equifax and its subsidiary. The plaintiff dismissed the suit himself 16 days later.
March 9th: The CVE-2017–5638 vulnerability is responsibly patched and disclosed by Apache.
March 9th: Equifax “disrupts the global market” with Ignite(TM), an “analytics powerhouse” application. We can deduce that Equifax payed the salaries of developers to create this. This is evidence that new product development took priority over patching known security vulnerabilities for the leadership at the company.
March 10th: The security firm Equifax has hired to investigate the hack told the WSJ on September 20th that first evidence they found of hackers working to exploit the Struts vulnerability came the day after Struts disclosed it. Working over the course of about two months, the hackers escalated their privileges until they were finally able to gain access to millions of people’s PII by May-June.
May 3rd: Equifax releases a new software product, the BusinessConnect for Marketing module, which allows marketing people to “leverage a rich and comprehensive customer and prospect picture.”
If we were to assume Equifax uses two-week agile sprints, this release was about two sprints after the original Struts vulnerability disclosure. Since then, some Equifax developers have been working on new releases and new features rather than patching known vulnerabilities.
As a side note, I’d like to bring up the fact that the practice Equifax has of providing analytics related to the behaviors of the people whose information they possess is ethically questionable. The only way to opt-out of Equifax having your information is to not participate in credit culture, a cornerstone of Western economies. Yet, they sell insights about the behavior patterns of their unconsenting customers or “product” at a high price.
Mid-May to July: Hackers exploited the known Apache Struts vulnerability and stole PII from as many as 143 million Americans. If Equifax had been properly maintaining their web framework and patching known vulnerabilities, this could have been avoided.
June 16th: Equifax announces they will be acquiring Watchdog, an identity protection and resolution company.
July 29th: Equifax discovers they are responsible for the leak of 143 million American’s PII. “The company said that it discovered the intrusion… and has since found no evidence of unauthorized activity on its main consumer or commercial credit reporting databases.” NYTimes
August 1st: Equifax appoints a new Chief Marketing Officer.
August 1st, also: “Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099.” They “had no knowledge that an intrusion had occurred at the time” according to an Equifax spokesperson. The sales represented 13% and 9% of Gamble’s and Loughran’s shares respectively. — Bloomberg
August 2nd: “Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock” representing 4% of his shares. — Bloomberg
August 4th: Equifax Board of Directors declares a quarterly dividend of $0.39 per share, in keeping with their usual practice.
August 10th: Equifax finalizes deal and acquires Watchdog.
August 16th: Equifax unveils another product that we can deduce they paid developers to work developer hours to produce instead of patching known vulnerabilities.
August 23rd: Equifax partners with FIS to offer an identity protection product which they provide for a fee.
August 30th: Equifax leadership meets with the British ambassador “to discuss opportunities”.
September 7th: On the day Equifax announced the security breach they had known about for over a month, a Georgian congressman introduces a bill at a House of Representatives Financial Services Committee Meeting (“The FCRA Liability Harmonization Act” (H.R. 2359)) that would limit damages related to class action lawsuits filed under the Fair Credit Reporting Act. Equifax has spent at least $1.6 million lobbying for protection against class action lawsuits in the last two years. Equifax announces the security incident after that meeting was held introducing a bill to protect Equifax against class action lawsuits.
September 7th: Equifax finally announces the security incident. Their stock value falls 13% that first day.
September 7th: Equifax releases a brand new website www.equifaxsecurity2017.com for the people who never consented to Equifax storing their PII to determine if their information was leaked.
OpenDNS identified the site as a possible phishing threat and was blocking access to the site for a time. Through this site, Equifax is marketing their identity protection service with a one-year free trial. However, agreeing to their terms means waiving your right to sue the company for their negligence.
September 13th: KrebsOnSecurity reported a Milwaukee-based security company Hold Security were analyzing Equifax’s South American operations for vulnerabilities and discovered that the employee’s portal of the Equifax Argentina operation allowed access with the username/password combination of “admin/admin.” Once logged in, the admin user had access to the names, email addresses, and employee IDs to over 100 Equifax Argentina employees.
Equifax’s stock is down 30% since the initial disclosure.
September 14th: The Federal Trade Commission (FTC) announces it is investigating the Equifax hack.
September 15th: U.S. Senator Elizabeth Warren announces she has begun an investigation into the Equifax breach. At the same time, she and 11 other senators introduced a bill which would allow consumers to freeze their credit for free. It currently costs between $3 and $10 to freeze your credit.
September 15th: Equifax Chief Information and Chief Security officers announce they are “retiring” (note: not resigning) from their positions effective immediately, to replaced by head of Equifax International IT and Equifax VP of IT respectively. At the end of business day Friday, Equifax shares were down 35% from the original disclosure.
September 15th: As many as 400,000 Britons affected by the Equifax leaks, approximately 0.8% of the adult population of the UK.
September 18th: New York Governor Andrew Cuomo says he plans “to require all credit-reporting agencies to register with the state and comply with its cyber-security rules” in a response to the Equifax incident.
September 19th: Equifax Canada announces that it estimates around 100,000 Canadians were affected in the breach, approximately 0.4% of the adult population of Canada.
September 20th: Nathan Taylor, a cybersecurity lawyer with Morrison Foerster LLP in Washington, estimates that a class action lawsuit payout of $200 million is plausible given precedent. After lawyer’s fees, that works out to be about $1 per person affected by the breach. In other words, a great deal for Equifax.
September 20th: The official Equifax twitter account directed a user to a fake Equifax page. In a now-deleted tweet, they wrote “Hi! For more information about the product and enrollment, please visit: securityequifax2017.com.” A security researcher created securityequifax2017.com “to demonstrate how easy it is to confuse a legitimate name with a bogus one.” The actual website is equifaxsecurity2017.com. It seems that even the official Twitter account of Equifax is able to be fooled by the company’s questionable act of creating a new domain to address the security incident. It was later revealed that the Twitter account directed users to the fake site at least nine times over two weeks.
September 21st: Equifax stock value down 31% to 98.29 from 142.72 on September 7th before they announced #Equihax.
Looking at Equifax’s press releases from after this Struts exploit was patched, it’s obvious that the company has prioritized new product and feature development above what we developers call “technical debt.”
To be clear, the responsibility for addressing this issues is shared in a large organization. First, it’s crucial that developers identify these issues and surface them. If leadership does not feel it’s a priority, it’s up to developers to continually emphasize the importance of patching vulnerabilities when they’re critical, as in this case.
For product people, it can be extremely painful to allow developers to spend their hours on maintenance of existing products rather than developing new products. When developers spend time on existing products, it does not drive any new revenue. The approach of de-emphasizing software maintenance is common in the industry, so Equifax is in no way an outlier in that respect. The issue, instead, is in the responsibility that Equifax has beyond what the average company has.
The vast majority of people whose PII was leaked here at no point consented that Equifax store their information. That puts an extraordinary responsibility on their team of product managers and developers to safe-guard that information. Maintaining frameworks is not easy, but when you have an extraordinary responsibility, you must go to extraordinary lengths to meet due diligence. Equifax failed in this respect, and should be held accountable for that.
It now falls to the public to make sure this hack isn’t repeated. That means learning about what happened, telling legislators this is an issue we care about, and not letting the next news cycle push this issue from our collective attention. So after monitoring our credit reports and changing all our passwords for the “n”th time this year, not letting this become just another in a long string of hacks is now another task which falls to the public. If Equifax’s response to this major security event is any indication, large corporations have determined the risk of major for them is small (think, Yahoo). In order to protect our PII, we need to finally show them that’s not the case.
Note: I will continue adding information to this article as new developments arise.
