Fix was avail­able two months be­fore hack­ers stole info from credit-re­port­ing agency

USA TODAY US Edition - - FRONT PAGE - El­iz­a­beth Weise and Nathan Bomey

Hack­ers took ad­van­tage of an Equifax se­cu­rity vul­ner­a­bil­ity two months af­ter a group shared a fix for it.

Hack­ers took ad­van­tage of an Equifax se­cu­rity vul­ner­a­bil­ity two months af­ter an in­dus­try group dis­cov­ered the cod­ing flaw and shared a fix for it, rais­ing ques­tions about why the credit-re­port­ing agency didn’t up­date its soft­ware suc­cess­fully when the danger be­came known.

A week af­ter Equifax re­vealed one of the largest breaches of con­sumers’ pri­vate fi­nan­cial data in his­tory — 143 mil­lion con­sumers and ac­cess to credit-card data of 209,000 — the in­dus­try group that man­ages the open source soft­ware in which the hack oc­curred blamed Equifax.

“The Equifax data com­pro­mise was due to (Equifax’s) fail­ure to in­stall the se­cu­rity up­dates pro­vided in a timely man­ner,” The Apache Foun­da­tion, which over­sees the widely-used open source soft­ware, said in a state­ment Thurs­day.

Equifax told USA TO­DAY late Wed­nes­day the crim­i­nals who gained ac­cess to its cus­tomer data ex­ploited a web­site ap­pli­ca­tion vul­ner­a­bil­ity known as Apache Struts CVE-2017-5638.

The vul­ner­a­bil­ity was patched on March 7, the same day it was an­nounced, The Apache Foun­da­tion said. Cy­ber­se­cu­rity pro­fes­sion­als who lend their free ser­vices to the project of open­source soft­ware — code that’s shared by ma­jor cor­po­ra­tions and that’s tested and mod­i­fied by de- velop­ers work­ing at hun­dreds of firms — had shared their discovery with the in­dus­try group, mak­ing the risk and fix known to any com­pany us­ing the soft­ware. Mod­i­fi­ca­tions were made on March 10, ac­cord­ing to the Na­tional Vul­ner­a­bil­ity Data­base.

But two months later, hack­ers took ad­van­tage of the vul­ner­a­bil­ity to enter the credit re­port­ing agency’s sys­tems: Equifax said the unau­tho­rized ac­cess be­gan in mid-May. Equifax did not re­spond to a ques­tion Wed­nes­day about whether the patches were ap­plied, and if not, why not.

It should have have acted faster to suc­cess­fully deal with the

“The Equifax data com­pro­mise was due to (Equifax’s) fail­ure to in­stall the se­cu­rity up­dates pro­vided in a timely man­ner.”

The Apache Foun­da­tion, which over­sees the open source soft­ware

prob­lem, other cy­ber­se­cu­rity pro­fes­sion­als said.

“A typ­i­cal bank would have patched this crit­i­cal vul­ner­a­bil­ity within a few days,” said Pravin Kothari, CEO of CipherCloud, a cloud se­cu­rity com­pany.

Fed­eral reg­u­la­tors are in­ves­ti­gat­ing whether Equifax is at fault. The Fed­eral Trade Com­mis­sion and the Con­sumer Fi­nan­cial Pro­tec­tion Bureau have said they’ve opened probes into the hack.

So far dozens of state at­tor­neys gen­eral are in­ves­ti­gat­ing the breach, and on Tues­day Mas­sachusetts At­tor­ney Gen­eral Maura Healey said she plans to sue the com­pany for vi­o­lat­ing state con­sumer pro­tec­tion laws. More than 23 class-ac­tion law­suits against the com­pany have also been pro­posed.

Equifax shares fell 2.5% Thurs­day af­ter news of the FTC probe and are down 33% since it re­vealed the hack.

In­for­ma­tion po­ten­tially stolen, in­clud­ing So­cial Se­cu­rity num­bers and dates of birth and names, could put peo­ple at risk of iden­tity theft for the rest of their lives, credit ex­perts warn.

To some in the in­dus­try, it’s not that Equifax had bad se­cu­rity prac­tices, but that such poor se­cu­rity hy­giene is all too com­mon.

“This is not some crazy movieplot at­tack sce­nario,” says Jeff Wil­liams, co-founder of Con­trast Se­cu­rity. “There is re­ally no ex­cuse for or­ga­ni­za­tions not to be pre­pared for this to­tally ex­pected sce­nario. They should have a well-prac­ticed play­book and run it of­ten.”


Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.