Over the last four days there are signs that the Equifax debacle has begun to bottom out. Before things started to get better, they had to get worse. A security company has disclosed that details of staff and complaints were held on an easily accessible system. Worse still, the passwords were so basic that they might as well have not been there at all.
This was followed by the Comodo Threat Intelligence team exposure of the internal password practices of the C-Suite. That’s right, the C-Suite. It seems that they were so inept that it was able to recover the passwords of several senior managers. Two of those individuals have now left the company (see below).
Finally an admission that UK customer data was lost
Over the last week Equifax has refused to comment on the impact on UK users of its services. The portal it set up to help US customers only accepted US Social Security Numbers. This has left customers in other countries wondering how safe their data is.
Late Friday, Equifax Ltd (UK) finally issued a press release on the matter. It said: “As part of its investigation, Equifax has now identified unauthorised access to limited personal information for certain UK consumers.”
It went on to say: “Regrettably the investigation shows that a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.
“The information was restricted to: Name, date of birth, email address and a telephone number and Equifax can confirm that the data does not include any residential address information, password information or financial data. Having concluded the initial assessment Equifax has established that it is likely to need to contact fewer than 400,000 UK consumers in order to offer them appropriate advice and a range of services to help safeguard and reassure them.”
The offer of help given everything else that is being revealed will be of little comfort to those users whose details have been lost. How many will trust that service is as yet unknown.
Passwords and a lack of basic security competency
For a company holding such sensitive data, Equifax has demonstrated a shocking lack of competency. Security vendor Hold Security revealed details of how poorly Equifax Argentina protected data to blogger Brian Krebs. Hold security told Krebs that the Equifax Argentina employee portal called Veraz had the password admin/admin. According to Krebs’ blog:
Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. The “list of users” page also featured a clickable button that anyone authenticated with the “admin/admin” username and password could use to add, modify or delete user accounts on the system. A search on “Equifax Veraz” at Linkedin indicates the unit currently has approximately 111 employees in Argentina.
It seems that once Krebs contacted Equifax they took the portal offline.
Meanwhile Comodo Threat Intelligence dug deeper around Equifax. They discovered details of Equifax users and employees for sale. As they continued to investigate they were then able to get more shocking details from third-party sources. Among those were the fact that: the chief privacy officer, CIO, VP of PR and VP of Sales used all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year.”
As the Comodo press release says: “They didn’t follow basic security best practices and were lacking a complex password requirement.”
Too little too late as two senior officers leave the company
Last Friday also saw Equifax part with David Webb Chief Information Officer and Susan Maudlin, Chief Security Officer. Webb is one of those individuals who password Comodo Threat Intelligence was able to easily identify. The other three individuals continue to be employed and so far there has been no comment as to whether they have been disciplined over their lax attitude to passwords.
They are not alone. The three senior directors who sold shares are also still at the company. Equifax has said that the timing of their share sales was just unfortunate. In a press release it said that they were not aware of the breach at the time they sold their shares. Chief Executive, Richard Smith is due to appear before the House Energy and Commerce Committee hearing in the US Congress on 3 October. It is likely that these share sales will come under scrutiny there as will the attitude of his senior officers over this breach.
Apache Struts vulnerability blamed for the breach
The company also provided a lot more detail on the timeline of the attack including the fact it was known about in July. The attack used a known vulnerability in Apache Struts (CVE-2017-5638). That vulnerability was disclosed publicly in March, the attack started in May and continued until 30th July.
The press release goes on to say: “Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.” It is unclear as to why patches for this vulnerability were not applied when they became available. In addition, there is no indication of when the patches were finally applied or how the attack was detected.
What does this mean?
Barring any other major disclosures of poor security or data loss, Equifax may well have weathered the first battering of this storm. Its woeful response to the entire incident has done significant damage to its reputation. It is now in full recovery mode as it prepares for investigations, law suits and appearances before regulators.
What happens next will determine the future of the company. The company share price is now down 33% since the incident went public. It will now look to stabilise that and try and prevent further falls over the next week. Changing two senior officers will be part of that plan. However, it remains to be seen if that is enough or whether investors and the market will demand more heads roll.
So far, there has been no indication that the banks, financial institutions or retailers who use Equifax for credit checks are abandoning them. In fact, there has been a deafening silence from that group of people. Behind the scenes, however, there will have been a lot of serious conversations. Both of its competitors will be checking their systems, beefing up their security and looking to win business from Equifax.
On the positive side the company is now engaging openly and providing information on what has happened. Whether that will help or hinder its cause is yet to be seen.
