Equifax executives step down

Equifax, the credit reporting agency, said Friday that its chief information officer and chief security officer were retiring “effective immediately.” The announcement came one week after the company revealed that a cyberattack potentially compromised confidential information of 143 million Americans. On Friday, the company also provided further details about when it had discovered the breach and which part of its website had been targeted by hackers. But many details about the breach, who was behind it and the computer security defenses at Equifax are still unclear.

What We Know

• Hackers exploited a vulnerability in website software. They gained access to certain files containing names, Social Security numbers, birth dates, addresses and driver’s license numbers. Equifax also said the thieves lifted credit card numbers for about 209,000 consumers. The company on Friday disclosed that around 400,000 British consumers may have also been affected.

• The breach was open from mid-May to July 29. That was when Equifax first detected it. The company said it had immediately worked to stop the intrusion, and the following week engaged Mandiant, an independent cybersecurity firm, to oversee an investigation into the scope and causes of the breach.

• Equifax is making personnel changes following the breach. On Friday, Equifax said its chief information officer, Susan Mauldin, and its chief security officer, David Webb, were retiring. The company said the changes were “effective immediately.”

• The breach involved the company’s web page for disputes. The company said the breach occurred in a public website application where consumers could dispute the accuracy of credit information collected by the company. The company said it noticed suspicious traffic to the application on July 29 and took the application offline the next day. It then patched the vulnerability in the application and put the application back online.

Continue reading the main story
Advertisement

Continue reading the main story
• The hack involved a known vulnerability in software used by Equifax. The New York Post first reported that hackers had exploited a vulnerability in Apache Struts, a kind of open-source software that companies like Equifax use to build websites.

On Thursday, Equifax confirmed that the breach involved a bug in Apache Struts, and identified the specific vulnerability. This security weakness was publicly identified in March and a patch to fix it had been available since then.

The rules for commercial use of open-source software can vary. Generally speaking, open-source software is built collaboratively by developers inside companies, academia and even hobbyists, and is available for free or at a low cost. Different types of Apache software are widely used all over the world.

What We Don’t Know

• It is not clear why the company’s security methods failed to stop the attack. Equifax said that it was aware of the vulnerability two months earlier and worked to patch the bug then. It is not clear why this patch was unsuccessful, and the company said that it may release additional information as its investigation into the incident continues.

Avivah Litan, a security analyst with the research firm Gartner, said that the bug alone was not to blame. “You have to have layered security controls,” Ms. Litan said. “You have to assume that your prevention methods are going to fail.”
• The perpetrators of the Equifax breach have not been identified. A group of hackers calling themselves the “PastHole Hacking Team” has claimed responsibility, and threatened to release the data if their ransom demand of 600 Bitcoin — roughly $2.5 million — was not met. In posts and communications with security researchers, members of the team claimed they were able to garner far more data than they expected when they targeted Equifax.

• That doesn’t mean this group of hackers was really responsible. Intelligence officials and security analysts in private industry said that while it is far too early to say definitively who breached Equifax, the leading theory is that the company was hit by a nation-state or hackers operating on a nation-state’s behalf. They point to the sheer scale of theft, which most likely would have required a heightened degree of sophistication to pull off without being detected.

Other security experts said it would be smart to consider motivation and intent. “Are cybercriminals going to try and sell circa 150 million records in dark web auctions? That’s nearly half the population of the United States,” said Thomas Boyden, president of GRA Quantum, a company that specialized in cyberattack incident response. “Are there standard cybercriminals out there with the purchasing power for that type of data?”

Still, the detailed personal and financial information collected by a company like Equifax can be resold on the so-called Deep Web. It is much more valuable than credit card numbers, because it has a longer life span and can be used to access all kinds of other information, like bank accounts, loan details and medical records.

• Have these hackers struck before? Mr. Boyden and others said that the breach had many parallels with previous breaches of personal information by nation-states and their contractors. Such government-affiliated hackers compile giant databases of stolen information to see if there is material that can be used for espionage or perhaps even blackmail. Using data-sifting technologies, they comb through massive collections of information to find useful material.

Source: AFP