There is something we can learn from Equifax Hack that was reported on 7th September 2017.
Headquartered in Atlanta, Ga., USA, is a global information solutions provider which works with data related to 820 million consumers, 91 million businesses world wide. Yes they have a presence in India too, from year 2010. Equifax India is registered as Equifax Credit Information Services Private Limited (ECIS). It is a joint venture between Equifax Inc., USA and seven leading Indian financial institutions – State Bank of India, Bank of Baroda, Bank of India, Kotak Mahindra Prime Limited, Religare Finvest Limited, Sundaram Finance Limited and Union Bank of India.
Equifax’s Security team blocked suspicious network traffic that they observed associated with its U.S. online dispute portal web application and continued monitoring the network.
The Security team more of suspicious activity and in response, the web application was taken offline by the company and continued with their internal review of the incident
They discovered that their web application had a vulnerability in the Apache Struts web application framework which was the initial attack vector, they patched the affected web application and brought it back online. The vulnerability on Apache Struts can be referred to CVE-2017-5638
Mandiant, a cybersecurity firm was involved to assist in conducting a forensic review on the impact it would have caused.
Once Mandiant analyzed available forensic data for weeks, it was identified that the incident potentially impacted personal information relating to 143 million U.S. consumers such as– primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.
Additionally, data like credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents and is working with regulators in those countries.
As silly as it might sound, Equifax IT team failed to apply the security patch for the Apache Struts MVC framework released by the The Apache Software Foundation as early as 07-03-2017.
Apache Struts is a framework for developing Java-based apps that run both front-end and back-end Web servers. It is relied on heavily by banks, government agencies, large Internet companies, and Fortune 500 companies.
They failed to apply the patch for more than two months, this led to what is now termed the worst data breach in history, giving away personal information of as many as 143 million US consumers.
Reports also suggest that the attack might have started as early as 10th March 2017
Being an organization that had implemented one of the highest policies and processes for its Information Security Management System, Their failure might be in the process which lets them stay months away from patching their production system.
Certainly an organization which deals with such sensitive data should have a process and procedure set to apply patches within days of availability and in this time should keep strict vigil on the traffic and anomalies in the traffic to the application.
Certainly its not the Apache Struts to be blamed, The flaw in the Apache Struts framework was fixed on March 6 2017,
Certainly this could have been prevented.
Lesson for us
Don’t overlook or even underestimate the need for patching vulnerabilities.
Just email us on firstname.lastname@example.org if you need our assistance in assessing your Information Security need/posture. We will be glad to help you, as always.