Senior officials at many organizations are able to escape the fallout from data breaches, at least publicly. However, when the breach reaches a certain size some firms have to show the public they’re taking the catastrophe seriously.
That appears to be the case at Equifax, which announced at the close of last week that chief security officer Susan Mauldin and chief information officer David Webb have retired. Mark Rohrwasser, who has lead the credit scoring company’s international IT operations is now interim CIO, and Russ Ayres, who was vice-president of IT, is now the interim CSO reporting to Rohrwasser.
The change comes after Equifax admitted that a threat actor had used a server with an unpatched Apache Struts vulnerability (CVE-2017-5638) in May to gain access to personal data of more than 143 million consumers. Most of them are Americans. However, the U.K. division of the company says data on 400,000 of its customers may have been exposed.
Struts is a free open-source framework used for creating Java web applications.
In its Sept. 15 statement Equifax says its security team knew about the vulnerability when it was disclosed in early March by U.S. CERT (Computer Emergency Response Team) and “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”
Equifax says its investigation is still ongoing, but apparently for some unexplained reason at least one of the company’s servers wasn’t fixed.
Meanwhile officials of Equifax Canada are still keeping mum on the number of Canadians whose data may have been exposed. According to CBC News, as a precaution the Canadian Automobile Association (CAA) is notifying Canadian 10,000 members the breach may involve their data. That’s because it partnered with Equifax for the CAA’s identity protection program, and those who signed up for it would have had their personal data stored in the U.S.
The CAA deal with Equifax expired July 1, but by then it is believed the breach had already started.
One expert quoted by Global News also noted that Canadians who might have been affected live and work in the U.S. They might have had their credit history pulled in Canada for various reasons such as including when applying for a U.S. credit card, or by a potential employer or landlord.
The admission that the attack vector was an unpatched Apache Struts vulnerability first made public through a fix in March — and Equifax figures the attack began in May — further highlights that holes and patches for Web applications and their related infrastructure have to be watched by info sec pros. In a quarterly report last week Positive Technologies, which makes an application firewall, says customer data shows cross site scripting accounted for just over 39 per cent of application attacks in Q2, with SQL injection attacks adding another 24.9 per cent.
The report includes a brief description and screen shot of the Apache Struts vulnerability Equifax fell victim to. It allows attackers to execute arbitrary code on a server by changing the Content-Type HTTP header.
“After vulnerabilities have been detected and made public, many web applications remain vulnerable due to failure to stay up to date with system updates and patches,” the vendor says. “Attackers are quick to make use of newly published vulnerabilities, weaponizing them within days.”
In its updated time-line of the attack Equifax says that on July 29 its security team saw suspicious network traffic associated with its U.S. online dispute portal web application. That traffic was blocked, but when the suspicious activity continued July 30 the affected web application was taken offline. After investigating the vulnerability in the Apache Struts web application framework was found.
A forensic firm was called in for detailed analysis. On Sept. 7 Equifax announced there had been a breach and there would be a support packaged for affected customers, including free credit monitoring and identity theft insurance.
At least one expert has come to the defence of the company. In an interview with SecurityWeek, Jeff Williams, co-founder and CTO at Contrast Security, said what Struts users have to do is not a simple patch. What Equifax (and others) would have had to do is replace the vulnerable Struts library with the latest one, he said. “Because this flaw has been in the Struts library for many years, there have been many other changes. That means that Equifax would have had significant rewriting to do in order to update. The process of rewriting, retesting, and redeploying can take months.”
On the other hand Williams said it is “outrageous” that companies haven’t deployed the technologies to protect applications from vulnerabilities during development and from attacks in operations.
The attack is far from being buried. In the U.S. Congress the House Committee on Science, Space, and Technology, and the House Committee on Oversight and Government Reform are going to investigate. Equifax CEO, Richard Smith will testify before a House panel on Oct. 3. There is also a probe underway by the Federal Trade Commission.
In Canada the federal privacy commissioner’s office is also looking into the breach.