Equifax’s Failure to Apply Security Patches Enabled Massive Hack

This site may earn affiliate commissions from the links on this page. Terms of use.

Last week, a massive hack of the credit bureau Equifax stole critical personally identifiable information (PII) on 143 million US citizens. The company’s response to the incident has been strongly criticized, and now we know the incompetence isn’t limited to the customer-facing sections of the company. The flaws that allowed hackers to penetrate Equifax and steal its customer data were patched several months ago.

The flaw in question is within Apache Struts and is identified CVE-2017-5638. It’s described as a flaw in file upload handling, which “allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.”

This flaw was fixed on March 6, 2017. It was already under heavy attack by March 9 and Ars Technica reports it was still being exploited on March 11. Equifax was penetrated in mid-May, meaning the company waited more than two months to apply mission-critical patches that were ranked at the highest degree of severity and reported in multiple security publications and notices. This isn’t some minor issue that got swept under the rug by a vendor and happened to bite a company. It’s a further demonstration of lax security practices and incompetence at a company that contains more critical personal data on US citizens than likely any other.

There’s a reason I say that. It’s true that access to a Facebook account might tell you much more about a person than their credit history, but a person’s Facebook profile doesn’t contain data that governs their entire modern life. If I know your social security number, address, and date of birth, I know far more than I need to know to steal your identity. Your driver license number (some of these leaked as well) is icing on the cake.

Thanks to Equifax, everyone’s data is out there forever, in one handy and convenient file breach. That matters, too, because most thieves aren’t interested in trying to assemble enough information on any single person to take their data (unless you’ve got a lot of determined enemies, anyway). But sell them that information in an all-in-one package, and hey, people will use it.

The FTC is Investigating

The FTC has announced that it’s looking into the hack and may open an investigation into Equifax. “The FTC typically does not comment on ongoing investigations,” spokesman Peter Kaplan told Reuters. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”

There’s no word yet on what action the FTC might take, or what the penalties could be for Equifax’s cataclysmic losses. Given that the most of the US adult population is now at permanent increased risk for data theft or account hijacking, the usual “placate them with an identity monitoring service” shtick isn’t going to cut it. Equifax has taken heavy fire in recent days for multiple aspects of their response, and that’s not going to stop any time soon.

Now read: 20 Best Privacy Tips

Let’s block ads! (Why?)

ExtremeTechExtremeTech

Leave a Reply