Equifax falls af­ter signs it was slow to fix flaw


Equifax Inc. shares con­tin­ued to slide Thurs­day af­ter the com­pany said the hack­ers that stole data on 143 mil­lion U.S. con­sumers ex­ploited a vul­ner­a­bil­ity that the com­pany could have fixed two months be­fore it was breached.

The dis­clo­sure sug­gests that Equifax may have been slow to take ba­sic steps to se­cure its most sen­si­tive data, and will likely add to calls for stronger over­sight of an in­dus­try whose in­for­ma­tion in the hands of crim­i­nals can en­able the worst kinds of iden­tity theft and fraud. The com­pany faces a Fed­eral Trade Com­mis­sion in­ves­ti­ga­tion and calls to tes­tify be­fore Congress.

“The vul­ner­a­bil­ity was Apache Struts CVE-20175638,” Equifax said in a fre­quently-asked-ques­tions sec­tion of a web­site it set up to help peo­ple af­fected. The Apache Soft­ware Foun­da­tion, which over­sees the open-source soft­ware, had is­sued a patch for the flaw in March. Equifax said it dis­cov­ered the breach on July 29 and that it had been oc­cur­ring since mid-May.

Equifax fell 2.5 per­cent to $96.66. The stock price has dropped one-third since the com­pany an­nounced last week that hack­ers ac­cessed sen­si­tive data in­clud­ing So­cial Se­cu­rity num­bers. That’s the worst four-day de­cline in the com­pany’s his­tory. Shares of ri­val Ex­pe­rian PLC, which trade in London, dropped as much as 6.4 per­cent on Thurs­day.

The FTC said it’s in­ves­ti­gat­ing Equifax’s breach. The agency typ­i­cally doesn’t com­ment on on­go­ing in­ves­ti­ga­tions, but con­firmed the in­quiry in light of “in­tense pub­lic in­ter­est and the po­ten­tial im­pact of this mat­ter,” spokesman Peter Ka­plan said in an emailed state­ment.

The Apache soft­ware is widely used by com­pa­nies to help build web­sites. The twom­onth gap be­tween when the patch was is­sued and when the at­tack­ers breached Equifax’s net­work was a par­tic­u­larly danger­ous time, as hack­ers be­gan im­me­di­ately ex­ploit­ing the flaw on web­sites that didn’t ap­ply the fix, ac­cord­ing to tech­nol­ogy web­site Ars Tech­nica.

“The Equifax data com­pro­mise was due to their fail­ure to in­stall the se­cu­rity up­dates pro­vided in a timely man­ner,” the Apache Soft­ware Foun­da­tion said Thurs­day in a state­ment on its web­site.

But se­cu­rity pro­fes­sion­als say many com­pa­nies take weeks or even months to ap­ply soft­ware patches, as ap­pli­ca­tions need to be tested to en­sure the up­dates don’t break ex­ist­ing code. Apache Struts soft­ware is es­pe­cially time­con­sum­ing to up­date be­cause each ap­pli­ca­tion needs to be fixed in­di­vid­u­ally. But a de­lay of sev­eral months to re­move a high-pri­or­ity vul­ner­a­bil­ity is gen­er­ally con­sid­ered a danger­ous se­cu­rity prac­tice.

“If this is in­deed a cap­i­tal of­fense, then I’d say that the ma­jor­ity of or­ga­ni­za­tions are

guilty,” said Rick Hol­land, vice pres­i­dent of strat­egy at Dig­i­tal Shad­ows, a cy­ber­in­tel­li­gence firm with of­fices in London and San Fran­cisco. “It is easy to Mon­day­morn­ing quar­ter­back

and say, ‘Why didn’t you patch?’ The prag­matic re­al­ity for many or­ga­ni­za­tions is that patch­ing doesn’t oc­cur as quickly as one would like.”

The big­ger ques­tion to many cy­ber­se­cu­rity ex­perts is why some of Equifax’s crown jew­els were ac­ces­si­ble es­sen­tially from the open

in­ter­net, a ques­tion that Equifax has not ad­dressed. The com­pany hasn’t spec­i­fied when it sought to patch the flaw, or what other mech­a­nisms the at­tack­ers used once inside the net­work to ac­cess the con­sumer data.

The vul­ner­a­bil­ity was a crit­i­cal weak­ness for many large web­sites

that were built us­ing the soft­ware. In an­nounc­ing the in­ci­dent on Sept. 7, Equifax ini­tially blamed a “web­site ap­pli­ca­tion” that it didn’t iden­tify.

Rene Gie­len, vice pres­i­dent at the Apache Soft­ware Foun­da­tion, said in an email Thurs­day that the group doesn’t have re­li­able in­for­ma­tion on how

long it takes com­pa­nies to ap­ply patches for vul­ner­a­bil­i­ties. While firms usu­ally act within hours or days af­ter an an­nounce­ment, some com­pa­nies don’t patch for years, he said.

“If a com­pany has a data breach, like a Home De­pot or what­ever, they can sell ham­mers, nails, wood, what­ever

and gen­er­ate rev­enue,” Jeff Dodge, se­nior vice pres­i­dent of in­vestor re­la­tions at Equifax, said at an in­vestor con­fer­ence in Novem­ber. “We have a data breach, we’re not in too good a shape out of that, right? So data se­cu­rity and how we go about en­sur­ing that is some­thing we spend a lot of time and ef­fort on.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.