• Jim Finnerty

How and Why the Equifax Breach Happened

In May of 2017, an unpatched software flaw on Equifax’s computer system allowed hackers to access plain-text information on nearly 150 million users. The records breached included names, dates of birth, social security numbers, addresses, and drivers license numbers.

Equifax’s shares dropped 13% the day after the details of the breach were made public. Since then, they’ve faced hundreds of personal lawsuits as well as a $425 million FTC settlement. And it all could have been easily avoided if Equifax had taken just a few simple precautions.

Let’s look at some of the preventable reasons for the breach, and the ongoing lessons to be learned from it!

Problems with Security Patches and Software Updates

Our story starts with Apache Struts, which sounds like the name of a rogue cowboy who just blew into town from an old Western movie. But Apache Struts is actually the name of an open-source web application framework used for developing Java EE web applications.

At the time of the breach, Equifax was using Apache Struts to serve up an online, customer-facing portal. It allowed customers to view and make disputes, but there was a flaw in the software:

The flaw allowed unauthorized viewers to look at the passwords of Equifax employees.

Apache had released a patch to correct this flaw in March of that year and the Equifax breach took place in May. Equifax’s failure to keep their software updated left customer data vulnerable.

Equifax and Problems with Password Security

Before hacking the unpatched Apache Struts, the Equifax hackers would need access to the system. And the patch would have prevented an unauthorized viewer from looking at the passwords of employees.

Still, an intrepid hacker has other methods of gaining access. Simply guessing correctly at an administrator username and password would grant access to the entire system. Anyone could gain control over most of the data, systems, and applications used by the company.

With the systems administrator having so much power, it would make sense to securely guard access. Frequently changing passwords involving long strings of upper and lowercase letters, symbols, and numbers might do the trick, for example.

At the time of the breach, Equifax had their administrator username set to “admin”. The administrator password: also “admin”.

The result: catastrophe.

Data Encryption? Who Needs Data Encryption?

The final preventable element in the Equifax data breach is data encryption. Strong encryption is typically standard practice in the industry. It provides another barrier to access from anyone who would want to exploit sensitive data.

The customer information that was stolen was all stored completely unencrypted. Rather than converting the data of their users into code, which would have required a hacker to decrypt it—a process that would have been difficult or nearly impossible—Equifax stored it all as plain text.

Once the hackers were in, all the data they were after was right in front of them. They needed no key to decode it.

Who Is at Fault for the Equifax Breach?

All of these preventable issues boil down to human error. Negligence, laziness, lack of common sense, or an unawareness of the potential security risks all play a part in the Equifax disaster.

But where does the blame lie?

By not insisting on stronger passwords, timely software updates, and standard data encryption, the (now former) CEO surely bears some responsibility. However, in his testimony to Congress, he shifted the blame to a single employee who he said was responsible for configuring the entire software system.

If what the CEO says is true, this indicates another, deeper problem on the part of Equifax. In assigning so much responsibility to a single individual, the potential for error becomes immense.

These systems are inherently risky. They contain huge amounts of personal data on customers, which, if released, could lead to identity theft or worse. Hackers know this, and they know how valuable this data is. It’s safe then to assume that it is always going to be under some potential threat.

The problem is that people are not infallible. Equifax relied on the competence of one person to control all of that, trusting that that person will:

· Never make a mistake

· Never have a lapse in knowledge or training

· Always be around to fix any day-to-day issues that arise

In short, that person would need to be a superhuman—someone who doesn’t exist.

How Much Trust? Zero Trust

Trusting one person to maintain perfect security for a whole network is already a big ask. It also doesn’t take into account the possibility of malicious intent on the part of that individual.

Although malice doesn’t seem to be a motivating factor on the part of the Equifax employee, allowing one person sole control of such sensitive information opens the door for these vulnerabilities. Even the most trustworthy individual could be presented with motivations to create or profit from vulnerabilities—excessive debt, outside threats, dissatisfaction with a coworker or their employer—these are all potential motivators, and good reasons to diversify administrator access.

The efficacy of high stakes security issues should not rely on trust. Zero Trust security is the only reasonable way to prevent these kinds of issues in the future.

Final Thoughts

The Equifax breach was in many ways a perfect storm of high-value data, negligence, and human error. Fortunately, there are plenty of applicable lessons to take from it.

In terms of preventing something like this from happening again, it’s imperative to stay vigilant! Strong passwords, encrypted data, and timely software updates are all relatively easy ways to ensure security for over sensitive information.

Also, utilizing multiple systems administrators who can administer cross-checks on one another prevents inside actors from stealing data or making a breach possible. These simple actions would have saved Equifax millions of dollars, years of bad publicity, and the trust and confidence of their customers.

Subscribe to our blog to learn more about cloud security. Or follow the links below to see what we’ve written about recently!

What Does Myriad Bring to the Zero Trust Cloud Game?

Aw Snap! A cautionary tale of vendor reliance

68 views0 comments