The Equifax data breach of mid 2017 is one of the worst known data breaches—so far. Data breaches get a lot of attention lately and perhaps eventually countries will take the issue seriously enough to start addressing them effectively and comprehensively. It should be considered that these breaches were happening long before they were so frequently in the news, and the industry of cybercrime and identity theft is mature and efficient.
How did this breach happen and what lessons can be learned from it? There are many ways for cybercriminals to attack an organization and steal the data it stores. It is ineffective to merely react to the threats described in the latest headlines; a proper cybersecurity program needs to evaluate all of the risks and then address them in a prioritized fashion. That said, the Equifax data breach has lessons for everyone.
Equifax had a weakness in their website where consumers would dispute portions of their credit records. This was the place where consumers could dispute inaccuracies and provide information and documents which were then stored in a database which was connected to other databases containing consumer data. When Equifax built this platform, the computer programmers followed the custom of incorporating pre-written portions of code borrowed from open-source resources.
An open-source computer code means that it is freely available for inspection and download. The “source code” is provided, each line of code is visible and can be modified to suit the need. These source code components can be integrated with the rest of the code, and then the entirety of the source code is “compiled” into a format that computers can run, known as “machine code.” In contrast, there is proprietary code (the software available for purchase) where it is already compiled and we are unable to see individual lines of code.
Programmers use open-source components to avoid reinventing the wheel and rewriting portions of code that have already been written, used and tested. Computer programming requires the assembly of prewritten portions of code, making sure they fit and work together, and ensuring the program interacts with the users and databases properly. For the Equifax site, they used Apache Struts, a suite of open-source components for accepting user input into web forms and transferring that information to underlying databases. Apache Struts is maintained by the Apache Foundation and is available for download, inspection and modification by programmers.
What software developers do is similar to how contractors build a house. They do not make the lumber, plywood, bricks, drywall, windows or doors, but purchase those components and assemble them. Though building supplies are costly, open-source software is free and reusable, but “free” needs to be qualified. Just as with free puppies and kittens, it will require considerable expense and effort required to care for it.
To build their consumer-facing website, Equifax did what was perfectly acceptable and incorporated open-source software components. However, they failed to keep track of what components were used, the vulnerabilities discovered and correct them. All software is prone to bugs and security vulnerabilities, including open-source software. On the first day code is released, programmers hope it is perfect, but bugs will be discovered that need fixing, and security vulnerabilities will be found that need patching. Change comes rapidly, operating systems and web browsers are updated, which means other programs may need to be updated. Thus, open-source components get fixed—patched—to address the vulnerability or bug, and then a new version of the code is released. Anyone still using the older version is at risk.
On March 7, 2017, the Apache Struts community learned of a vulnerability that could allow an attacker to break through the software components and access confidential data. The attacker could enter special input into the web form to trick the database into executing a command and granting special access. Apache Struts issued an update to repair this issue, the community was notified to discontinue use of old versions and incorporate the updated version into their software.
Ideally, companies have an inventory of their software and what is in it, including the specific version of the components used. In practice, many companies do not, but the recommended practice of regular vulnerability assessments and penetration tests can still detect these weaknesses.
Consider this analogy for homes and locks. A certain model of lock turns out to be defective; it can be opened with a blank key, or the “smart home” feature is easily hacked. Unfortunately, it has already been installed in thousands of homes around the country, especially in new construction. The manufacturer and contractors try to notify homeowners that their lock is vulnerable and needs to be fixed, while burglars also learn about the weakness and how to exploit it. The fix is simple; call a locksmith to swap a new lock for the old. If a locksmith is not immediately available, they can implement a temporary security measure, such as using a chain lock when home, using a surveillance system or even posting a security guard outside. In information security, such measures are known as “compensating controls.”
Locks are easily changed, but software components are not—it is not like pressing the “update” button on a smartphone when prompted
A defective lock helps us visualize the security vulnerability, but understates the complexity of the patch for Apache Struts. Locks are easily changed, but software components are not—it is not like pressing the “update” button on a smartphone when prompted. Think of the Chinese drywall debacle of 2004–2005, where Hurricane Katrina and other storms caused significant destruction followed by massive rebuilding, which led to a shortage of U.S. manufactured drywall (gypsum board). This led to increased imports of Chinese drywall, which were then used in building projects all around the U.S., but especially in the southeast. It was soon realized that this drywall was toxic, unsafe for the occupants and could even degrade building components such as electrical wiring. When homeowners learned they were living with the dangerous Chinese drywall, it was difficult and costly to replace. Essentially, the interior of the home had to be dismantled and rebuilt—all drywall removed, new drywall installed, taped, spackled, trimmed and painted.
Sometimes, when a vulnerability is identified, companies do not allocate sufficient resources to fix it. Some landlords might feel it is unnecessary to change locks or replace drywall because it is unlikely that a burglar will try to break in, and unlikely the drywall gasses would injure a tenant or damage the building. In hindsight, it seems clear that Equifax’s risk analysis and response was flawed. They should have rebuilt their website code, incorporating updated versions of Apache Struts. During the days, weeks or months while they built, tested and implemented the new website, they should have implemented temporary compensating controls by adding a filter (or parser) to prevent attacks on the Apache Struts vulnerability. The vulnerability allowed a user to enter malicious input into the web form that could cause the website to grant control and access to the attacker. A compensating control would review the input and remove harmful text before it reached the vulnerable Apache Struts code.
That is the hole that hackers exploited to breach Equifax and steal the personal information of 150 million victims, which Equifax learned about on July 29, 2017, and disclosed to the public on September 7. This appears to be one of the biggest breaches in history, spawning lawsuits, regulatory actions, legislation and a prosecution for insider trading.
What Individuals Should Do
Individuals can protect themselves, their families, and better advise their clients and customers if they know the steps that should be taken in response to the repeating cycle of data breaches. It is not known who committed this data breach, but it is known that they now have a comprehensive dataset of personal identifying information, which can be sold and used for identity theft or other mischief.
Some criminals will try to exploit the fears based on this breach. They will conduct phishing attacks or other fraud schemes designed to make individuals think they are a victim of identity theft in order to trick them into providing personal information or performing an action that exposes their computer or cloud data.
Businesses will also try to exploit this fear to sell products. Companies, including Equifax and others, sell credit-related products and services. Data breaches are good for their business. Advertising and fear tactics may convince consumers to pay a monthly fee in exchange for a feeling of safety. Credit-reporting agencies have a business model that allows them to make money on multiple fronts, through selling access to consumer data, selling services after a data breach, and having consumers pay to protect their data and identities.
Based on facts released in connection with an insider-trading case stemming from this breach, the public knows how Equifax views data breaches. After the breach, some Equifax employees were told that there was an urgent data breach “opportunity” for the company, but they were not told that Equifax was the breached entity. One employee figured it out and allegedly sold his Equifax stock quickly, anticipating a future decline in share price once word of the breach became public, and was charged with insider trading (conversely, several very high-level Equifax employees sold their stock days after the breach, but were exonerated by Equifax’s internal investigation which found they had no knowledge about the breach when they sold their shares). Thus, Equifax makes money from data breaches, and being breached is bad for company valuation.
From a consumer’s perspective, individuals should encourage government to increase regulation to improve privacy rights and to alter the rules of how businesses store, use and sell consumer data. They could call upon government to properly address cybercrime, not by simply telling companies to be more secure, or by simply treating it as a law enforcement issue, but by addressing this international epidemic holistically.
On the law enforcement side, more can be done to address the scourge of identity theft and cybercrime. Identity thieves often rely upon data stolen through Equifax-style data breaches, but identity theft cases are difficult for prosecutors to build, take months of painstaking work, cross jurisdictions and need the assistance of businesses and financial institutions. When District Attorney Robert Morgenthau created his Identity Theft Unit—one of the first in the country—he recognized the importance of fighting this crime. Resulting cases soon demonstrated the connection between identity thieves and cybercriminals. Prosecutors who lack resources or look for quick cases that garner press attention will not be able to bring the type of cases needed to fight this crime.
Fortunately, certain rights can be exercised for free. A free credit report can be conducted, each year, from each of the following credit-reporting agencies: Equifax, Experian and TransUnion. This can be completed through www.annualcreditreport.com. Do not be tricked by other sites that charge for this service. If any credit information is inaccurate, it can be disputed and corrected. Ironically, it was Equifax’s dispute reporting website that was breached, so consumers who disputed their credit records, and submitted copies of identification documents and supporting documents were victimized the most from the breach. Nevertheless, correcting credit history is a right that should be exercised if needed.
These three credit-reporting agencies also have the ability to “freeze” credit, which will prevent credit history from being offered to others and prevent new accounts from being opened. Not surprisingly, agencies used to charge a fee for this, but thanks to a new law this is now available for free. Agencies also offer credit “lock” services, which may come bundled with other paid services, but consumer groups were recommending the “freeze” rather than the “lock” even before freezes were free by law.
What Financial Institutions and Businesses Should Do
Financial institutions and businesses need to recognize risks relating to identity theft and cybercrime across their platforms
Financial institutions and businesses need to recognize risks relating to identity theft and cybercrime across their platforms. The Federal Trade Commission Red Flags Rule requires such an identity theft prevention program, and organizations should strive to exceed minimal compliance.
One risk is that the company is a conduit for such crime, that a fraudster assumes the identity of a victim while interacting with the business. With a fresh batch of stolen personal identifying information potentially on the marketplace, this fraud may increase. With online accounts, consider that cybercriminals and identity thieves are well-suited to defeat online verification tools during the enrollment process. Personal information is easy for them to purchase in criminal marketplaces, and providing false information such as name, birthdate and social security number is an easy task. Even accounts opened on-site are subject to this fraud—identity thieves are well-practiced at appearing in person with forged identification documents.
Financial institutions and businesses should take a more aggressive approach toward identity-theft-related frauds
Financial institutions and businesses should take a more aggressive approach toward identity-theft-related frauds. The relationship between cybercrime’s data breaches and the resulting use of this information to commit identity theft is evident. Data breaches are profitable because identity theft is profitable. Financial institutions and businesses are subjected to hundreds and thousands of fraud attempts, all of which provide valuable information to build criminal cases.
Private sector fraud and anti-money laundering investigations are essential for reducing cybercrime and identity theft. Yet there are businesses and financial institutions that tolerate identity theft occurring on their platforms, viewing it simply as a business expense, and treating fraud investigation as an added cost rather than an essential component of good corporate citizenship. Of course, there are many dedicated professionals investigating these frauds, but they sometimes are without sufficient resources or support.
Information security is essential, since financial institutions and businesses are collecting and storing considerable data about customers and employees, and many breaches result from failure to perform the basics of security. Every employee is a potential breach point, and lack of knowledge or awareness creates significant risks. Companies need a thoughtful incident response plan which senior management is trained on. Equifax’s response was lacking and communication was poor, which further damaged their reputation and was a disservice to consumers.
Proper risk analysis starts by evaluating the potential threats, harms and costs, followed by remediation in a prioritized fashion. If Equifax had properly done this, they would have devoted resources to address this issue. Companies need a strong cybersecurity and anti-fraud program, which requires continual improvement and focus to make it part of culture. Responsibility for cybersecurity cannot be delegated to lower level employees (for later scapegoating) but should rest with the highest levels of management. Prevention is cheaper than the cure, and a strong posture against cybercrime and fraud can be good for business.
Consumers can protect themselves by obtaining free annual credit reports from the three credit-reporting agencies, freezing their credit, improving their own cybersecurity posture, patronizing organizations that are committed to security and privacy, and encouraging government to address these issues more comprehensively.
Financial institutions and businesses must do their part to improve the security of the data they keep and prevent it from getting into the hands of cybercriminals. They also need to devote resources to investigating cybercriminals and identity thieves and reducing their illicit profits.
Finally, government needs to do more to keep residents safe from crime. Where victims have little control over threats, and where attackers reside outside national borders, the public relies upon government even more.
For information on how you can identify where your organization is most vulnerable to a cyber-attack, please visit: http://www.acams.org/cyber-enabled-crime-training/.