Everything You Need to Know About the Equifax Breach: Timeline, Overview, Impact

Equifax Breach Response Off To A Rough Start

The intelligence team at Flashpoint documents hundreds of data breaches every month, so it takes a truly extraordinary event to make our entire team utter a collective groan of disbelief. The disappointing breach announced by Equifax is one of those events. It lit up our Twitter feeds and Slack channel unlike any other breach disclosed this year, even though there have been much larger data breaches.

The basic facts read like so many other breaches. A vulnerability in a web application was exploited in order to gain access to the personal information of approximately 143 million persons – or roughly 40% of the U.S. population. The compromised data includes names, Social Security numbers, addresses, and in some cases driver’s license numbers. Another 209,000 payment card numbers were also accessed as were 182,000 dispute documents. The breach itself is believed to have started in mid-May of this year and was discovered about two and half  months later, on July 29th.

It’s not the number of persons impacted that got our team’s attention – as mentioned – we’ve seen at least six larger breaches this year including three that each exposed over one billion records. Rather, it’s the long term implications this event will have for both the impacted persons and for Equifax itself.

For the people that had their data exposed, there is no good recourse here. Unlike passwords that can be changed or credit card accounts that can be canceled, this breach targeted precisely those fixed data points that cannot (easily) be changed. These are the key identifiers for linking a person with their credit history, tax filings, bank accounts, employment history, and so much more. It may be stating the obvious here, but it’s not particularly comforting when the only recourse Equifax is offering is their very own TrustedID Premier credit monitoring and identity theft protection service. Granted, it includes credit file monitoring from TransUnion and Experian, but neither of those companies are a stranger to their own data security events. TransUnion has fared the best of the big three, with only seven breaches disclosed since 2005, six of which originated with the unauthorized use of access credentials (i.e. compromised client logins). Experian is a much different story, with over 100 breaches disclosed, most notably the 2015 compromise of 15,000,000 T-Mobile customer’s data and the Court Ventures debacle of 2013.

Until recently, Equifax’s breach experience tracked closely with TransUnion. There were a few more instances of compromised client logins but all said, their breach history was nowhere near that of Experian’s in terms of the high frequency. However, there were signs all was not well at Equifax earlier this year. In February, 158 LifeLock members’ credit reports that were provided by Equifax, were exposed due to a “technical issue” with the online portal used to access the reports. The breach notification letter sent by Equifax implies the problem resided with them. Whatever the “technical issue” was, it resulted in credit reports inadvertently made available to the wrong customer. Equifax Workforce Solutions (TALX Corp) went on to report four additional breaches this year, the largest of which impacted 40,645 employees and contractors of Allegis Group due to a compromise of the online payroll management portal provided by TALX.

One fact that has become crystal clear to us is that public perception of how the response is handled has a long term impact on the reputation of the breached organization. From the moment this breach was announced, Equifax was immediately in a challenging position. After all, if asked, most people would expect a major credit bureau like Equifax to have impeccable security. We know that no organization is immune to an event like this and no good can come from rushing to judgment about the state of Equifax’s security practices. We prefer to give Equifax the benefit of the doubt on that point but we do see many early signals the breach response is off to a rocky start.

Setting aside the fact they are offering their own identity theft protection product to impacted persons – they are after all in the business of providing such services – the company has chosen to ask persons to enroll in the service.

From the statement:

“…based on that information you will receive a message indicating whether your personal information may have been impacted by this incident. Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier.”

Why ask impacted persons to enroll? If Equifax has sorted out who is, in fact, impacted, why not automatically provide some monitoring for suspicious activity within your own bureau? Yes, the three bureau monitoring included with TrustedID Premier is preferred in a situation like this but Equifax is in a unique position to do more here.

Then there is the option to use an online tool to verify whether your personal information  is potentially impacted. To take advantage of this look up, all you need to do is provide your last name and last six (not 4) digits of your Social Security number. However, the website that they have launched to announce this breach is problematic in several ways. First, it appears that the site will return the same message to you regardless of what information you put in. Second, the site is not hosted on the Equifax network and appears to be a fairly stock WordPress installation (which has 25 known vulnerabilities in 2017 alone, according to VulnDB). Third, the site appears to be using a bad SSL certificate at times, and OpenDNS is blocking it as a phishing page. Since trust is critical for web sites like this, especially after a breach of this severity, it is difficult for consumers to trust that Equifax latest online support option is properly protecting their data.

It appears Equifax has opted for “alternative notification”, choosing to disseminate information about the breach through the media and offering this “Trusted ID Premier tool” in lieu of individual notification letters. Most state data breach notification statutes allow for some form of alternative notification when it comes to large breaches like this or when contact information is simply not available. Granted, individual letters may have been costly, but handing over a name and partial Social Security number via a website to a company that just potentially compromised said name and Social Security number thanks to a web app vulnerability doesn’t exactly feel like a great method of learning whether or not I’m impacted. Worse, that site was also set up hastily, throwing a 404 error when visiting the main page when this blog was originally published.

Then there is the fact that they state quite clearly for those that do choose to enroll in monitoring:

“On your designated enrollment date, please return to this site, www.equifaxsecurity2017.com. For security purposes, you will be asked to re-enter your last name and the last six digits of your Social Security number.”

And this:

“… within a few days, you will receive an email with a link to activate TrustedID Premier. Please be sure to check your spam and junk folders if you do not receive your activation email within that timeframe.”

There is being transparent in your process and then there is tipping off fraudsters to start cranking out the phishing scams. As one person slyly noted in their twitter poll, “which of these is the real Equifax site asking for your social security number?”, it’s just a matter of time before phony websites start popping up asking for such information. And not to worry about wasted email effort, Equifax is advising concerned persons to check their spam folders for their confirmation email. Further, once you use the website to enroll, you may receive a message saying that enrollment is really five days away.

Proper data breach response is a tricky business. Companies need to be open and honest about what occurred without proving themselves negligent. They need to offer meaningful assistance to the impacted persons in a way that doesn’t cause confusion or more harm. Ultimately, they need to convey that they are doing all they can to correct the issue and make things right for their customers. It’s still too early to know if Equifax’s response will meet this challenge or fall short. Most people will forgive a data breach (eventually) if they believe the company did all it could to make things right. Unfortunately early indications are that Equifax is not doing themselves many favors with the response effort, making it that much longer of a road to travel before regaining consumer trust.

And for the record, when your senior executives sell shares worth almost $1.8 million three days after discovering the breach, be prepared for a lot of questions! More interesting is how the PR department at Equifax can’t tell users if they were part of the breach today, but knew that the three executives “had no knowledge that an intrusion had occurred at the time.” Many find it difficult to believe that the Chief Financial Officer (CFO) would not have been informed of such an incident!

Legal, Vulnerability Blame Game, and the Big Technical Debacle

As we previously posted, the Equifax data breach response got off to a very rough start. Before we get into the thick of this update, Flashpoint would like to remind everyone that in the wake of a breach of this severity, it is important to be very cautious. Like after any disaster or tragedy, there are already criminals looking to prey on victims that want to quickly protect themselves. In the context of a credit bureau breach, this will mean sketchy ‘services’ that promise to protect your identity, tell you if you were part of the breach, or other types of snake-oil that is too good to be true. As always, make sure that you get both information and services from reputable companies with an established background. Further, when reading about the aftermath of any data breach, remember that the ‘facts’ tend to change on a day-to-day basis as more analysis is done.

Legal Fallout, Congressional Inquiry, and Regulation

The last few years, we’ve  noticed lawsuits are being filed against breached organizations extremely fast – sometimes in the space of hours after the breach is announced. With Equifax, not only did a class-action lawsuit get filed the same day as the announcement, but they are seeking as much as $70 billion in damages. This is believed to be the first-ever billion-dollar class action lawsuit. Similarly, after a large breach that impacts many Americans, we occasionally see Congress take interest in the incident. With Equifax and the potential fallout, both Senator Ron Wyden of Oregon and Representative Ted Lieu of California have called for Congressional inquiry into the incident. Senator Wyden went on to tell Forbes: “I’ve said for years that companies need to be held accountable for data breaches, which is why I’ve supported Senator Leahy’s legislation to require strong protections for consumer privacy.” 

According to Eric Geller, Equifax briefed the House Energy and Commerce committee on the breach the day after the breach was reported, ahead of a hearing announced by Committee Chairman Greg Walden. While Congressional action on breach events is rare, it is much more common to see state Attorneys General stepping in to investigate. By Friday afternoon, New York Attorney General Eric Schneiderman launched an investigation of Equifax. In his statement, Mr. Schneiderman made his intent clear:

“The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred,”

Natasha Lomas wrote a great article for TechCrunch pointing out that while the majority of people impacted are American, Equifax does have a European presence and has said that some UK and Canadian citizens were also impacted. This means that this particular breach at Equifax would have “failed Europe’s tough new rules”. Specifically, she refers to the General Data Protection Regulation (GDPR) which is a regulation that will standardize breach notification throughout Europe, agreed upon by the European Parliament, the Council of the European Union, and the European Commission. While there are permitted exceptions to reporting breaches in a specific time frame, one key aspect to keep an eye out in the near future is the possibility of substantial monetary fines. The GDPR will give the power for sanctions to be imposed which are considerable.

For example, under the regulation, Equifax could have faced a fine of up to 20,000,000 EUR (USD $24.07 million) or 4% of the annual worldwide turnover of the preceding financial year. Given Equifax’s 2016 operating revenue was around USD $3.14 billion dollars, that fine could have been as high as USD $62.9 million dollars. Considering 209,000 credit or debit card numbers were also compromised, Equifax will most likely end up with other additional costs such as a PCI assessment for any fraudulent transactions, as well as fines and penalties.

The Vulnerability Blame Game (or Let’s Not Leap to Conclusions)

After any breach, many in the Information Security industry are very curious about how it happened and who was behind it. In rare cases an organization will be forthcoming about the compromise, perhaps stating it was the result of a phishing campaign or stolen credentials. So far, Equifax has only said criminals “exploited a U.S. website application vulnerability to gain access to certain files.” That can mean a lot of technical real-estate in the big picture, and doesn’t give a hint if this was due to a specific commercial application, application framework technology, third-party library or custom application code written by Equifax. Yet, William Baird & Co. has issued a report on the data breach, saying that the flaw that was exploited was in Apache Struts, an open-source framework used to create Java web applications.

It is important to note that this three page report (ignoring the Appendix) only mentions “the Apache Struts flaw” twice, and gives no details beyond that. This is dangerously misleading in many ways and leads to several questions. First, “their understanding” means what exactly? Were they part of the auditing efforts after the breach was first detected? Do they have insider knowledge of the forensic analysis done at Equifax? Are they relying on an unnamed insider source at Equifax?

Second, since Apache Struts has released details of two vulnerabilities in the last three days, one of which is pure remote code execution, the other a context-dependent (a.k.a. user-assisted) code execution issue, almost every reader will assume it is one of those two.

Third, there were two other remote code execution vulnerabilities in Struts announced earlier this year, including “Struts-Shock”, a named vulnerability that has had public exploit code available since March 9, 2017. Using the term “the Apache Struts flaw” is not precise and suggests quick speculation at best, not analysis of the facts. If we look at VulnDB we can see a total of 75 vulnerabilities dating back to 2005, with many in the past couple years.

While definitely a potential, making a hasty conclusion that the flaw exploited is in Apache Struts doesn’t help anyone. This report was covered by Keith Collins for QUARTZ, among others, who cited the study and then made additional conclusions, whether he intended to or not. On the upside, Collins mentions that “the apache Struts flaw” in question was “announced earlier this week on Sept. 4” (Note that it was actually published Sept 5, and he cites the original source that confirms it.) So we have Baird and QUARTZ who suggest or explicitly say it was the recent vulnerability. Collins goes on to cite the original vulnerability disclosure and reference that it specifies the issue is in the REST plugin. With this article’s language and citations, it is basically putting forward as fact that the vulnerability exploited to compromise Equifax was the September 5 “Apache Struts REST Plugin XStream XML Request Deserialization Remote Code Execution” issue. 

Not only is the lack of citation for this information troubling, they are also collectively saying that the same vulnerability discovered by Bas van Schaik of lgtm was known about and exploited 38 days before their disclosure. That would be a significant zero-day vulnerability used against a target most likely not required since they apparently are using severely outdated technology (more on that in the next section). It’s fine to guess at the vulnerability used, a lot of people do it, but to state it as fact without showing the provenance of that information is irresponsible and misleading. Attempts to contact Baird by at least one reporter have gone unanswered. In the meantime, an extremely rare event has happened and the “accused” Apache Struts team has released a statement.

The Big Technical Debacle

Putting the vulnerability blame game aside for a moment, it is interesting to evaluate the public technical information that can be gained about Equifax. While Flashpoint has not published any information on Equifax, many security researchers have shared their findings. No one bit of information in this section will point at or even suggest which vulnerability was used. Instead, this section serves to show that Equifax does not appear to follow the most basic of security practices which calls into question if they were in a position to properly defend their network and people’s personal information. 

Equifax appears to have stood up a WordPress installation on equifaxsecurity2017.com to handle a portion of the breach response. Andrew Healey pointed out earlier that it appears to have a single user account named “edelman”. At some point after his Tweet, Equifax seems to have prevented access as it now throws a 403 error. Dan Goodin posted the full output before it was restricted:

Additionally, a ThreatPost article stated that “many of the web applications hosted within the Equifax network are written in JSP, and a few pages appear to be coded with ASPX. There also appear to be a large amount of legacy Microsoft IIS web servers in use.” Between the IBM servers, IIS servers, and alleged Apache Struts implementation, there are many legitimate and likely avenues of attack that have nothing to do with the Struts vulnerability disclosed days ago. There has been a lot more technical information publicly disclosed by researchers examining Equifax’s Internet-facing resources.

In a now-deleted tweet, Kevin Beaumont pointed out that Equifax is using outdated IBM HTTP server software with known vulnerabilities. Several people have pointed out that a trivial cross-site-script (XSS) vulnerability publicly reported to affect an Equifax server in 2016, still works. The Open Bug Bounty submission (OBB-141440) is dated March 14, 2016 and is not fixed even with a provided proof-of-concept. However, looking at other OBB reports for Equifax, we see this is contrasted by OBB-141437, an XSS vulnerability in Equifax.co.uk that was fixed within months, as well as OBB-240695 a different XSS vulnerability in Equifax.com that was reported on May 24, 2017 and subsequently patched. 

Stepping back a bit to look at Equifax as a bigger picture, one dump of information shows that Equifax owns 1,519 domains with 5,209 sub-domains / aliases, while a different analysis says that they have “618 domains spread across 493 perimeter hosts on ipv4.” Regardless which is more accurate, that is a lot of technical landscape to manage, a substantial attack surface and even more daunting to secure. Shortly after the breach was made public, Twitter user @notdan shared a stack trace from an unknown Equifax resource while examining their systems. As Jake Williams reminds readers, “printing stack traces is indicative of generally bad cyber security practices.” Finally, Kenn White points out that the consumer login page to Equifax was not using a proper SSL certificate as of September 7th.

EULAs, Size Doesn’t Matter, and Where’s The Data?

As usual following a big data breach, we’re seeing a wide variety of commentary, speculation, and observations. Unfortunately, some of the statements appear to have little or no sources referenced and many are wild speculation at best. As always, read everything with a skeptical eye! 

A day after the breach was announced, a furor arose as portions of Equifax’s TrustedID End User License Agreement (EULA) were highlighted. Specifically, one clause said that by enrolling in the TrustedID program after your personal information was leaked, you also waive your rights to sue Equifax or be part of any class-action suit. Given that the first class-action lawsuit is already filed, this puts people in a bad spot. Either they can opt into a program designed to help them manage the leak and never sue Equifax, or they can forgo the program and reserve the right to sue Equifax putting them at risk. These are not good options for those affected by the breach; they should have the right to do both.

Image courtesy of @wyatt_privilege:

While this arbitration clause was included in the credit monitoring program, you apparently have the ability to opt out of the clause within 30 days. However, most people didn’t read far enough down to see the clause, let alone see the information about opting out. This serves as yet another reminder that while incredibly dull and sometimes difficult to read, EULAs are important and may severely impact you. Fortunately, by the time many heard about this arbitration clause, the public uproar prompted Equifax to change their minds.

What Happened to the Stolen Data?

After a data breach, one of the things that many are curious about is what did the criminals do with the data? In some cases, the data is posted publicly for all to enjoy to make a statement. Other times it is used to facilitate further criminal activity in order to make money. More recently, we’re seeing the criminals put the data up for auction as we did with the Shadow Brokers and their alleged National Security Agency (NSA) hack. On September 8, cyber reporter Catalin Cimpanu noticed a Dark Web portal (badtouchyonqysm3.onion) was created that claimed to be selling the Equifax data:

According to Robert Hansen, the data was trading for 600 Bitcoin (USD $2,528,400.00) on the site. Twitter user @real_1x0123, an ‘Underground Researcher’, appears to have found an Equifax host with shell access that shows access to several sub-domains. It is curious why they redacted two of the hosts, one of which is displayed in the browser tab title (ayuda.equifax.com). While not clear if this is proof of the compromise or sale of the data, if legitimate, should raise serious concerns for Equifax as their response to the breach may not be as complete as they think.

Jonathan Nichols spent a little time poking at the Dark Web site claiming to have the data and found a few misconfigurations that reveal information about the hosting provider and potential BTC Wallet ID. Despite all of the above, it is not clear if this claimed data is legitimate, and if so, truly being sold.

Biggest Breach Ever? Not Even Close!

As we are keen to point out, many media outlets and security companies like to make statements about topics they don’t specifically research, because any news is good news. In this case, Cylance has claimed the Equifax breach is “one of the biggest ever” and SC Media puts it as the fifth largest breach ever. While you can debate the “one of the biggest” comments, since that is more about perspective in the big picture, we can certainly say that SC Media is wrong. Even using SC Media’s list, you can see this isn’t even the largest Credit Bureau breach in history. 

Using Cyber Risk Analytics, which actually tracks data breach information to great detail, we can get a better picture of where Equifax ranks as far as pure record disclosure:

Of course, it is important to remember that just comparing the number of records doesn’t fairly compare the breaches. Losing millions of usernames and hashed passwords isn’t as severe as losing millions of credit histories for example. 

Equifax Breach: The Bigger Picture, Identity, Impact, and Advice

The Bigger Picture: Concerns, Impact, Advice

While the media storm surrounding the recent Equifax data breach continues its fever pitch, it’s important to keep in mind this is far from the first breach of a credit bureau. In fact, Experian has had its own dealings with a large breach when it had to contend with (and disputes) the exposure of up to 203 million records after the purchase of Court Ventures. Looking at the three major Credit Bureaus, there have been over 140 incidents reported involving various units of the big three entities.

While some of the incidents impacted relatively low record counts, it speaks to a larger problem regarding their protection of sensitive information. Russell Brandom wrote an article for The Verge titled “Our entire credit bureau system is broken: The massive Equifax breach is a symptom of a much larger problem”. Ignoring the error of this being the “biggest public breach in the history of credit reporting”, Brandom makes a good argument about the problems surrounding credit bureaus having so much valuable data linked to widely compromised data points like a Social Security number and date of birth. 

It is also important to remember that the average person is not an Equifax customer. Banks, credit card companies, landlords, insurance companies – the organization seeking information on an individual’s credit worthiness are the key customers of the credit bureaus. While Credit Bureaus are likely to have your information, it wasn’t because you voluntarily provided it to them. You don’t have a customer / business relationship with them. Instead of using the term ‘customer’, it is more appropriate to call yourself their ‘product’, and as David Brock points out:

Proving Identity & Victim Concerns

Perhaps the biggest concern facing the victims of the Equifax breach is that with the disclosure of sensitive personal information, how will they prove their identity? Even if you interact with Equifax directly, Emin Gün Sirer‏ asks the important question, “how do you prove who you are to a company who leaked all your private data?” How about any other creditor or lending institution? Jake Williams asks “knowing this data is out there for 143 mil Americans this morning, how do you verify identity of a new customer?” This will become problematic for victims and creditors alike and most likely will result in more time and effort spent on validating our identities. It’s not difficult to imagine new processes requiring additional paperwork or copies of documents in order to ‘prove’ we are who we claim to be. 

Continuing the idea that we are victims, Kim Zetter points out we have no choice when it comes to allowing Equifax access to our information. “Unlike Yahoo breach, consumers can’t just close their Equifax account and take their info/business elsewhere to express their displeasure”. The three Credit Bureaus obtained our information via other sources without our direct consent. Instead, we often form a relationship with a business and agree that they may sell or share our data to third parties. Equifax relies on this along with dozens of other methods for collecting data.

The Direct Impact to Customers

As we noted in our first blog, using Equifax’s TrustedID site to try to verify if you are impacted by the breach didn’t appear to work. Zack Whittaker wrote an article for ZDNet going into more detail and confirming what several people experienced on the first day the service was active. The title of the article, “We tested Equifax’s data breach checker — and it’s basically useless” says it all. For victims who want to put a ‘security freeze’ on their information, Equifax will give them a PIN that allows the victim to remove it later when they feel there is no risk.

Unfortunately, that PIN was generated entirely based on the date and time you request the PIN. As Tony Webster points out, “if you froze your credit today 2:15pm ET for example, you’d get PIN 0908171415.” Even worse, Equifax has been using this format for over a decadeand acknowledged the issue at least a year ago. So the criminals that took your personal information have a leg up in trying to remove the security freeze as the PIN becomes more guessable.

Equifax was sent scrambling once again to correct this and by late Monday confirmed a new PIN generation system would be in place within 24 hours. While we haven’t seen any Equifax-based phishing mails, we can be sure that criminals and security companies will be chasing opportunities. Twitter user ’Try Catch HCF’ points to the domain “equifax2017.com” which was registered on September 9 by HICHINA ZHICHENG TECHNOLOGY LTD. out of Hangzhou, China. The domain isn’t hosting anything specific at the moment, so the intention is not clear, but this is yet another warning for everyone to be mindful of the follow-up scams that are sure to come.

According to Scott McGready, that is likely one of at least 247 domains that have been registered that “look like Equifax” since the breach.

General Advice to Those Impacted

After a breach of a Credit Bureau, those impacted may be struggling to understand how to react. Unlike a breach that leaked passwords or a credit card number, the information compromised in the Equifax breach cannot be easily replaced. With credit history and extensive personal information including Social Security Numbers, the impact could be more devastating. Twitter user Patrick McKenzie, who says his “hobby in writing letters about the Fair Credit Reporting Act is suddenly topical!” He offers a string of advice for people in his thread, which we quote most of, with minor edits for readability:

• Tip 1: Do not pay for credit monitoring. You’re statutorily guaranteed three free credit reports a year. That’s sufficient.
• Tip 2: If someone opens a loan or CC in your name, deep breath: you are going to lose some time but not money. You haven’t been stolen from.
• Tip 3: You will be inclined to do things over phone, because credit reporting agencies and banks push people to it (and lately apps). No. Calls.
• Tip 4: Everyone attached to a telephone at a Credit Reporting Agency (CRA) has scripts which are optimized for getting you off the phone and minimal ability to help.
• Tip 5: If someone has opened an account in your name do not call the bank and ask them to close it. You do not have or want authority on acct!
• Tip 6: You should file a police report locally and get the police to issue a paper copy or receipt. It doesn’t matter if they investigate.
• Tip 7: You will snailmail copy of that report to the bank’s legal department (address available online) with a short letter.
• Tip 8: The contents of the letter: you did not open; correct immediately; any collections activity including reporting to CRAs is a Fair Credit Reporting Act (FCRA) violation.
• Tip 9: The bank is responsible for all damages and this letter is specific written notice of your complaint. You require resolution immediately.
• Tip 10: You also require all communication about the matter to be in writing to you.
• Tip 11: People do not believe me on this but trust me a professional firm letter from someone who sounds competent gets to a lawyer or Senior Vice President (SVP) reliably.
• Tip 12: Keep copies of everything, indefinitely. Keep a log of when mail was sent and when mail was received. Dropbox is your friend.
• Tip 13: You should not act like a supplicant; you owe the bank nothing as you’re not in a commercial relationship with them. But: no anger.
• Tip 14: You do not want to be read as someone who is angry and needs to be talked down. You want to be read as someone collecting a paper trail.

And finally, Twitter user Dissent Doe gives one more piece of great advice: “If you’re concerned about the Equifax breach, and want a security freeze (not fraud alert, but FREEZE), contact Experian & TransUnion, too”. Just remember, each of them will charge you for that freeze, including Equifax, despite them being the reason you want the freeze. Flashpoint sends their thanks to those who are helping those impacted. 

Ambulance Chasing, FireEye, and a News Roundup

As you might expect, many in the technology field have already received marketing mails from security companies claiming that their technology or solution would have stopped the Equifax breach if they had been involved. Even before we actually knew 100% how Equifax was breached (it had not yet been confirmed it was in fact an unpatched Apache Struts vulnerability), the emails stated that their technology could have stopped it.

The most curious of these types of emails are when other service providers that are not associated with Equifax feel the need to email their customers. In one case, LastPass emailed to say they aren’t affected but shared the Equifax press release. It has prompted some to ask, “Why tf is LastPass emailing me to tell me my LastPass account isn’t affected by the Equifax breach?” One journalist describes the ambulance chasing emails to number in the hundreds. And to be clear, while this is the most recent spam wave, this isn’t the first time we have seen a major breach being used as a marketing campaign. We all remember the numerous emails going around claiming their security products would have stopped the Snowden leaks even!

How Equifax Was Breached

After speculation and unfounded claims, Equifax has officially confirmed that an Apache Struts flaw was in fact used to compromise them in this breach. As suspected, it was not one of the Struts vulnerabilities disclosed this month, rather, ‘Struts-Shock’ (CVE-2017-5638) disclosed in March 2017. While some will be eager to say “told you so” there is still a lot more to consider.

First, we should not yet believe that only one individual or group exploited the vulnerability and grabbed the data. With an Internet facing server vulnerable to a high-profile vulnerability with public exploit code, we have to assume that there is the potential that more than one party exploited it. Equifax says that they discovered the breach on July 29th, but we know that the Struts-Shock exploit code was published on March 9th. That means that Equifax did not patch the vulnerability for as many as 142 days. We don’t know if it was patched and the breach noticed afterwards, or if the breach was noticed and the vulnerability patched as a result.

Second, there has been more fallout on the topic of Equifax’s digital security hygiene and footprint. Per Twitter user ‘ThreatPinch’, at least 135 IP addresses belonging to Equifax are still affected by the HeartBleed vulnerability which was disclosed on April 7, 2014. If Equifax has that many public-facing servers that have not been patched to a three year old vulnerability, we have to assume that whoever is responsible for the latest breach is not the only one, and likely not part of that exclusive of a club. Brian Krebs reports that an Equifax employee portal for managing credit disputes in Argentina had to be shut down yesterday due to it using a login and password of ‘admin’. Last, in looking at our own Cyber Risk Analytics ratings for Equifax, they have been rated below a full star for well over a year. We take data from numerous sources to calculate a rating which can be used to better understand the cyber hygiene of an organization and the likelihood of a future data breach. Given everything that we know and can easily see about their history, it isn’t a shock that Equifax has had yet another data breach.

Regardless of the subsequent fallout, it is absolutely great that the public knows how Equifax was compromised. That is a missing bit of information in a large majority of breaches, yet one data point that could better help other companies know which vulnerabilities are being actively targeted, and help prioritize remediation efforts.

Curious Relationship Between FireEye/Mandiant and Equifax

Finally, ZDNet reports that Equifax has enlisted FireEye-owned Mandiant for its incident response to this breach. This is another curious move since Equifax’s CSO was quoted in 2012 saying the  “zero-day and targeted attacks that evade some of the simpler defenses are where you are going to need a next-generation product [..] by far, FireEye detected and kept us secure from these issues.” In fact, this statement was part of a FireEye whitepaper that was advertised on their site and now have been quickly removed after news of the breach hit.

While we can only assume that Equifax is still using FireEye products, it does raise an eyebrow about the effectiveness of a product or the deployment when it boasts about stopping “zero-day and targeted attacks” but somehow misses a public remote code execution flaw in a highly deployed web framework.

If that wasn’t enough oddity for one blog update, Twitter user ‘x0rz’ pointed out that a Mandiant employee appears to have registered “equihax.com” two days before Equifax announced the breach publicly. The website currently has nothing on it, but the domain does in fact show it is registered to a “Brandan Schondorfer”, whose LinkedIn profile is now returning a 404. But we can see that Google shows that he is an incident response consultant at Mandiant (a FireEye Company).

As we continued poking around Google looking at the cached profile, we stumbled across something else interesting! While Brandan’s cached LinkedIn profile currently does not exist anymore, we were able to find his current profile since the LinkedIn URL has the same identifier “44933668” in it. It appears that Brandan has recently renamed his LinkedIn profile to drop his last name:

Additionally, it seems that Brandan has removed his Twitter account as well as what may be his Facebook account (but oddly, not his MySpace or SoundCloud pages!).

It’s difficult to say why a Mandiant employee would register that domain without anonymous registration, especially ahead of the public announcement, when Equifax is a customer of theirs. Some have stated that it was possible to prevent phishing domains from being registered. Others have also jumped in and agreed that Brandan was just performing a rear-guard action, buying up all the domains that others may use to mock Equifax for the breach. But it was also mentioned that he was sloppy by registering under his own name and is probably being mocked at work by his peers as this move required Equifax to disclose who they were using for the incident response.

Regardless if this was a Mandiant-sanctioned domain registration, based on the name change in the LinkedIn profile and what appears to be the removing of other social media accounts, it seems that the mistake has been realized.

While this may seem off topic, a curiosity for any data breach is when did the affected organization actually know about the issue and when did they engage outside assistance. As expected, we can more readily acknowledge with some degree of certainty that FireEye was engaged before the announcement and assisted with the initial assessment.

Update Roundup

Five days after any news-saturating breach, we typically get to a point where many of the prior topics covered in this blog begin to be examined in more detail. Like loose threads, various people will follow them and cover each in greater detail, examine additional points, and explore new ideas on the topics. It is easy to go down these rabbit holes because there is often promise of interesting and impactful observations that can help us better understand the situation. Rather than try to visit each of these rabbit holes, we’d like to share some of the updates and new developments in a more succinct manner:

• Zeynep Tufekci has written an opinion piece titled “Equifax’s Maddening Unaccountability” for the NYTimes that may echo sentiments from many impacted.
• Richard Blumenthal, a Senator from Connecticut, has written an open letter (PDF) to the CEO of Equifax strongly recommending they offer a better response to those affected, including longer credit monitoring, waive all fees, and more.
• In response to the Consumer Financial Protection Bureau (CFPB), the Consumer Data Industry Association (CDIA) on behalf of Equifax, pressed regulators to remove parts of the regulations that better protect victims of data breaches. Some are speculating that with the Consumer Financial Protection Bureau (CFPB) investigating Equifax after the breach, it may influence the deregulatory efforts. Ultimately, all of this may end up landing at the feet of the President and Congress.
• The Dark Web site claiming to sell the Equifax data has been shut down after researchers exposed information about it.
• According to Will Long, Experian is airing a commercial for an information privacy product during an NFL game… days after the Equifax breach announcement.
• Brian Schatz observes that if half of those impacted by the Equifax breach sign up for a credit freeze, then Equifax will make ~ $700 million dollars on the fees to do so.
• After public pressure, Equifax quickly removes fees for victims asking for a credit freeze.
• A chat bot, software designed to walk you through a task (e.g. technical support), originally designed to help with arguing parking tickets in court has been repurposed to help you sue Equifax for up to $25,000 without hiring a lawyer. Welcome to the future!
• After the breach, “Standard & Poor’s has placed Equifax’s credit rating on outlook ‘negative’” according to TheStreet.
• Prior to the disclosure of the data breach, Equifax’s market value stood at $17.2 billion. Its market cap has since declined by about $4.9 billion, to $12.3 billion.
• Equifax CEO Richard Smith will testify before a special House panel about the Equifax security breach on October 3.

Timeline, International, Patching, PCI

As expected, the amount of news and commentary around the Equifax breach continues to pour in. We focus on some of the big points and include another roundup of news.

Running Timeline

As the events unfold, people are taking an increased interest in the amount of days that passed between two events. Typically after a breach, this centers around the time to patch for the organization to determine, at least in their minds, if the company was diligent in addressing the vulnerability. To help everyone with this, we’ll be maintaining a running timeline of the events with references.

201?-??-??	Apache notified of the vulnerability (RBS has contacted Apache asking)
2017-03-06	Apache released upgrade to resolve vulnerability (ref)
2017-03-07	Vulnerability published in VulnDB (ref)
2017-03-07	Exploit published (ref)
2017-03-10	MITRE opens up CVE ID with description and 7 references (ref)
2017-03-10	NVD adds to their database via CVE. No updates since (ref)
2017-03-14	CERT releases advisory on vulnerability (ref)
2017-03-14	Equifax aware of the vulnerability (ref)
2017-05-13	Equifax breach occurred, continued until 2017-07-30 (ref)
2017-07-29	Equifax detected breach (ref)
2017-07-30	Equifax patched the vulnerability (ref)
2017-08-01	Equifax CFO and President of US Information Solutions sold stock shares (ref)
2017-08-02	Equifax President of Workforce Solutions sold stock shares (ref)
2017-08-02	Equifax contacted Mandiant to help with incident response (ref)
2017-09-07	Equifax notified public of breach (ref)

Based on the above, here are some numbers people are frequently asking about:

• Equifax time to patch: 138 Days
• Equifax time to notice compromise: 78 Days
• Equifax time to notify public: 117 Days

Equifax International Victims?

Since Equifax is known as a U.S. company, gathering data on Americans for credit tracking purposes, many are surprised to hear that other countries are affected. We originally noted that some in the UK and Canada were impacted. Now, more information has become available about the UK victims. The National Cyber Security Centre, a part of GCHQ, has issued a statement saying that around 400,000 UK citizens were impacted by the breach. 

According to the BBC, Equifax blamed this due to a “process failure” and confirmed that the information spans from 2011 to 2016. Little is known as to how many Canadians have been impacted in the breach. The lack of transparency has prompted the Canadian Automobile Association (CAA) to take the unusual step of notifying 10,000 of their members their information may be at risk.

The reason? Between March 2015 and July of this year, CAA partnered with Equifax to provide an identity protection program to their members. CAA reached out to Equifax requesting clarification as to whether the members that participated in the program were impacted but has received little information from the company.

Patching is Hard

Perhaps the hottest debate among InfoSec, journalists, and other observers over the last few days is that of patching vulnerabilities. In the context of Equifax, some are saying that they were negligent in so many words, for not patching a critical remote code execution vulnerability for 138 days. Others jumped in saying that patching is not a simple task, that it takes time, resources, and money, especially in big organizations.

While this may seem like a simple debate, there are many other factors that must be considered. Those who work defense, known as Blue Teams, often say that if you haven’t worked a day in their shoes, you will never know the pains of patching. Those outside of Blue Teams may also level blame at all levels of the organization, ranging from the security teams to the Chief Information Officer (CIO).

Using the Apache Struts vulnerability as an example, Alyssa Feola points out that it isn’t a simple patch, as it requires updating and recompiling production code. Not everyone is sympathetic to Equifax’s security teams and management though. Daniel Franke reminds everyone that patch management is a huge job, but so is filing tax returns, and there is no excuse for failing to do so. 

Steve Tornio steps back and looks at it from a broader picture asking if patching Struts is more or less time intensive than 149 million people dealing with identity theft. Steve’s point, along with the difficulty of patching any technology, is a good reminder of what is known as technical debt. The time and costs associated with maintaining software must be considered long-term, not just the initial cost of installation and deployment. Many things factor into technical debt, including the history of vulnerabilities in the software, the average time to patch of the vendor, and more.

The Music (Gender?) Angle

On September 15th, Brett Arends published an opinion piece in MarketWatch calling out Equifax Chief Security Officer (CSO) Susan Mauldin for having a degree in music. The article firmly levels blame for the breach starting at the top with her, going so far as to put her title in quotes. This sparked a heated debate on Twitter about if such a degree is relevant. Many were quick to point out that Peiter Zatko, a.k.a. Mudge, one of the most respected security professionals in the world, also has a degree in music. He was quick to point out that nothing is wrong with a music grad as a CSO, but he humbly suggested they also have a 20+ year track record.

This conversation quickly pivoted and became focused on gender. Paul Roberts wrote an opinion piece for Security Ledger that explicitly calls this point out, titled “when they say your major is a problem, what they mean is your gender is a problem”. In the article, Roberts points out several other successful C-level executives that don’t have degrees in computer science or security, while also noting that Arends does not have a degree in his chosen profession either. Daniel Miessler published a blog with a handy flow-chart on whether you should hire an infosec person with a music degree. Perhaps the most interesting result of this conversation is the #unqualifiedfortech hashtag on Twitter.

PCI Blowback?

A small portion of the data compromised in the Equifax breach included around 200,000 credit card numbers. As Brian Krebs notes, Visa updated an advisory about the stolen cards saying that the data likely included cardholder’s Social Security numbers and address. He says this ironically suggests that the data was stolen from people who were signing up for credit monitoring services through Equifax.

Even more interesting, Kim Zetter says the the credit card data was part of historical transaction data, meaning Equifax violated PCI security standards. She goes on further pointing out the dates of the transactions go back to November 2016, which means unencrypted credit card information was available on their network for six months. This seems like a clear-cut violation of PCI security regulations and could be grounds for sanctions. However, Equifax is ironically a member of the PCI Security Standards Council (PCI SSC), making some wonder if they will even receive a slap on the corporate wrist for the violation.

Update Roundup

A week later, there is no sign of the news and commentary letting up. Rather than try to visit each item in detail, we’d like to share some of the updates and new developments in a more succinct manner:

• According to Bloomberg, Equifax learned of the breach in March, not in July as they claimed, according to their sources. Perhaps mincing words, Equifax claims it was a ‘different breach’ involving the ‘same intruders’.
• According to Sonatype, thousands of organizations may also be vulnerable to Apache Struts flaws. As always, we remind readers to take such claims with a grain of salt when they are based on downloads. There could be a big discrepancy between the number of downloads, number of installations, and more importantly, the number of vulnerable installations.
• Kevin Beaumont noticed that Equifax had the results of one external audit performed by KPMG available on their public website. At the time of this blog, the 2012 “Report on Equifax’s Controls Placed in Operation and Tests of Operating Effectiveness” is still available (PDF). As Brian Krebs also points out, a different report from 2014 that has since been removed shows that KPMG found Equifax left private encryption keys on servers.
• Equifax has announced that their Chief Information Officer (David Webb) and Chief Information Security Officer (Susan Mauldin) would be “retiring”, according to the Wall Street Journal.
• The WSJ also reports that Equifax spent at least US $500,000 lobbying Congress for laxer regulations, including limiting liability for credit-reporting companies.
• The Department of Justice announced they have launched a criminal probe into the timing of stock sales by senior Equifax officials.
• The U.S. Department of Justice has opened a criminal investigation into three executives who sold stock days after learning about the breach, months before the public was informed.
• U.S. Senator Elizabeth Warren, along with 11 colleagues, has introduced a bill that would prevent Equifax and the other credit bureaus from charging consumers to place a credit freeze on their account. Warren went on to Tweet that the idea of the bill is simple; “Equifax doesn’t pay you when they sell your data. You shouldn’t have to pay them to stop selling it.”
• Shortly after the breach, Equifax removed its mobile apps from the Apple and Google markets. After speculation, it appears that it may have been in response to a vulnerability found by Jerry Decime.
• Looking for a real challenge in InfoSec? Equifax is apparently hiring around 40 people!

Cyber Insurance To The Rescue?!

Any time there is a big data breach that impacts millions of people, you can expect the lawsuits to spin up and significant costs to follow. As we mentioned in our initial post in this blog series, the first lawsuit against Equifax was filed within hours of the breach announcement on Thursday, September 7th. By the following Monday, at least 25 federal lawsuits and 2 Canadian suits had been filed. In fact, at least 250 lawsuits have been filed against Equifax since September 7th and more are surely to come!

Undoubtedly, this is going to be an extremely costly event. So much so that Equifax has taken the step of already posting a statement to investors, advising them of the breach and its potential financial implications. From the statement:

9. Do you have an estimate of the costs you expect to incur related the cybersecurity incident, including timing? Does Equifax have cyber insurance and to what extent will it offset the financial impact of this incident?

At this time, it is too early for us to provide specific estimates of the costs we expect to incur related to the cybersecurity incident. The most significant near-term costs expected to be incurred will be delivering our TrustedID Premier identity theft protection and credit file monitoring product for a period of 12 months to consumers who enroll. In addition, Equifax will incur legal, forensic consulting and other costs related to the incident. Equifax carries cybersecurity, crime, general liability and other lines of insurance, and we have begun discussions with our carriers regarding the incident.

10. How will you disclose the costs related to the cybersecurity incident in your financial statements and public filings?

Equifax will separately disclose costs specifically related to this cybersecurity incident, as well as any insurance reimbursements that offset these costs. These costs and reimbursements will be treated as non-GAAP items in our presentation of Adjusted EPS and Adjusted EBITDA margin. The timing of the accrual for or incurrence of related costs may differ from the timing of recognizing insurance reimbursement for those costs.

11. Do you expect this cybersecurity incident to impact your long term financial model?

Equifax remains committed to delivering on the long term financial model of 7-10% revenue growth and 11%- 14% growth in Adjusted EPS on average over a business cycle. Equifax’s long term financial model reflects our continuing fundamental ability to utilize our unique and differentiated data assets and leading analytical capability to deliver high value products and services to our customers.

While the cost of a data breach has been, and is still highly debated, no one can discount that a data breach does cost money. Luckily for Equifax, they have integrated cyber insurance into their risk management plan and that should help offset some of the costs, but how exactly that coverage will apply is a very curious question.

Other than confirmation that Equifax does have Cyber Insurance, there has been no official details provided by anyone directly involved as to how much insurance Equifax actually has or how it might respond to the many different costs this breach is generating. What we have seen so far in other published articles is that Equifax has a potential “tower” (a series of insurance policies purchased from multiple carriers) between $100M and $150M. It is rumored and has been published that Beazley is the primary carrier on the tower and the first layer is $15M.  

Some anonymous sources have provided additional clarity about their insurance policy, and it appears that there is $130M of coverage in place. Based on all information available the tower is believed to have a structure as follows:

$5M – Self Insured Retention

$15M – Beazley

$10M – ?

$10M – ?

$15M – ?

$10M – ?

$10M – ?

$10M – ?

$10M – ?

$10M – ?

$25M – ?

————————–

$130M Total Limits

For the most part, many will assume that the normal coverages in the Beazley’s cyber insurance policy (BBR) will apply for the Equifax tower. But what is not yet clear is how these limits will be allocated to the lawsuits and regulatory actions (a.k.a. the liability component) versus breach response costs (a.k.a. first party costs). Regardless, $130 million is likely to come up short compared to the total cost of the event when all said and done. A Bloomberg article stated as much when they reported that the cyber policy Equifax has in place was “likely inadequate to cover the credit-reporting company’s costs”. This was further justified from the Equifax statement:

“Our property and business interruption insurance may not be adequate to compensate us for all losses or failures that may occur,”

“Also, our third-party insurance coverage will vary from time to time in both type and amount depending on availability, cost and our decisions with respect to risk retention.”

So, if $130M is not adequate, then what amount should Equifax have had in place? We decided to look at some cost estimates based on studies and models that have previously provided Cost Per Record numbers.

# of Records	Cost Per Record	Estimated Cost	Reference
143,000,000	$0.09	$12,870,000	Verizon DBIR 2015
143,000,000	$0.58	$82,940,000	Verizon 2015
143,000,000	$5	$715,000,000	NetDiligence 2011
143,000,000	$60	$8,580,000,000	Ponemon Direct Cost 2009
143,000,000	$141	$20,163,000,000	Ponemon 2017
143,000,000	$158	$22,594,000,000	Ponemon 2015
143,000,000	$200	$28,600,000,000	Ponemon 2009
143,000,000	$964.31	$137,896,330,000	NetDiligence 2015
143,000,000	$17,000	$2,431,000,000,000	NetDiligence 2016

So, while there are disputes on what the proper cost per record post-breach estimate should be, based on the table above using multiple data points from previous studies, it becomes clear quickly that $130M in coverage would not be sufficient given the amount of data compromised.

Certainly the decision to purchase $130 million or more of coverage was aided by the brokers that placed this coverage and further validated by the financial decision makers within Equifax. It’s also possible this is the most coverage Equifax was able to obtain. What is certain is that there are few companies with more first-hand knowledge than Equifax when it comes to understanding breach response costs.

In fact, Equifax has been a partner of Beazley’s – yes, the very same Beazley that is said to provide the first layer of cyber coverage to Equifax – providing breach resolution and mitigation services on behalf of policyholders since at least May of 2014. What’s more, Equifax describes themselves as data breach specialists, going so far as to say they are “ideally placed to help businesses if they experience a data breach.” With such deep roots in the cyber insurance and breach response industries, Equifax should have been well informed as to potential costs.

The most likely component of a cyber insurance policy to pay out after a breach is the first party, or breach response, coverage. This includes the various costs that are incurred by the impacted organization for things like the forensic investigation, credit monitoring, notification and call center support, and identity protection services – all activities currently underway at Equifax.  Third-party costs have not yet been as impactful as many lawsuits face an uphill battle in proving actual damages from the breach as is evidenced by the failed attempts against Horizon BCBS, Schnucks, and CareFirst.

Assuming Equifax’s cyber coverage includes breach response costs including credit monitoring expenses – which we expect it would assuming that Beazley is the primary carrier – there are two possible ways their carrier can handle subscription cost:

• Pay a lower cost per person and guarantee credit monitoring for all impacted persons; or
• Pay a higher cost per person, but pay only for those persons that sign up for the credit monitoring services.

Given the choice, most organizations lean toward the pay-as-you-go route based on the assumption that breach fatigue is setting in and only a small percentage of impacted persons will take up the offer of credit monitoring, ultimately costing less than the monitoring-for-all option.

What makes the Equifax situation especially curious is that they are offering their own product for identity theft protection and credit file monitoring. As we mentioned previously, Equifax has a partnership in place with Beazley, the alleged primary carrier on the tower. The question immediately comes to mind; does this mean their insurance policy could conceivably reimburse Equifax for the cost of their very own services? What’s more, now that Equifax has decided to temporarily “waive” the cost of a credit freeze, could they go on to seek reimbursement for their “lost” freeze revenue? It’s difficult to conceive of any insurance company writing a check to their customer for the cost of providing their own service, but this may in fact be the case.

If, in fact, Beazley is the primary insurer for Equifax as we believe and more sources are validating, it may be a moot point. It is a common practice among insurers to cap or otherwise limit the amount of coverage provided under the first party cost component. So even with $130 million of limits, it’s conceivable the dollars available to pay for first-party costs is quite a bit less. The popular Beazley Breach Response (BBR) policy has wording that references they can respond to a breach of up to several million records, but it typically carries the caveat that the most the company will pay during the policy period for all Privacy Breach Response Services is $10,000,000. If such a sublimit is in place for Equifax, it is possible the entire amount could be spent on other first-party elements such as the forensic investigation, the cost of notification, the call center expense, and legal fees incurred in the immediate aftermath of the breach. That could raise another conundrum for Beazley’s insurers – whether or not those carriers that are in excess of Beazley would “drop down” to pick up costs exceeding the underlying sublimit.

As has been detailed in this series and by the media at large, Equifax’s handling of the initial breach response has been less than stellar. Much has been made about the role of cyber insurers and how they can bring order to an otherwise chaotic breach situation. For most organizations, having a cyber insurance policy provides excellent response resources with the best pricing possible. Beazley states as much in their promotional materials, touting their experience and in-house abilities that helped handle over 6,000 data breaches:

Given the collective experience of both Equifax and Beazley with data breach response, again, one can’t help but wonder why is it that the response has been so poorly handled thus far and comes across as if they were unprepared for a breach. Did Equifax choose not to involve their primary carrier in the response? If they did, was Beazley’s input disregarded? Who’s running point on the breach response? Another thought is once Beazley was made aware of the Equifax breach, when did they notify the other impacted carriers in the tower and how informed have they been during the process?

Either way, not reporting a breach in a timely fashion or failing to abide by the policy terms and conditions can have serious consequences for Equifax and the amount of insurance ultimately available. Most cyber policies include language requiring insureds like Equifax to report losses “as soon as practicable” after discovering the breach. We know from Cyber Risk Analytics, that Equifax became aware of the incident on July 29th, which means they should have been working with their business partner/insurer Beazley well before the breach was announced on September 7th. Likewise, most policies include clauses requiring the insured to cooperate with the carrier and generally not incur expense without the carrier’s consent. It’s not clear the extent to which such language is included in Equifax’s cyber coverage, but if they have not met their obligations it is grounds for reducing – and possibly even denying – coverage.  

What other costs should Equifax’s cyber insurance policy potentially cover?

Unlike other coverages that tend to be more standardized, cyber insurance policies are unique creations. Even the excess policies that are part of larger insurance tower can be quirky and veer away from the coverage written into the primary cyber insurance policy. That said there are core items included in the vast majority of cyber policies which should help defer breach costs. This list isn’t an attempt to be all inclusive but to provide some thoughts on a few areas.

Defense Costs

• Just because negligence or damages are hard to prove doesn’t mean lawsuits can be ignored. Suits must be defended and defense attorneys costs money. The policy should respond accordingly here.

Forensic Costs

• Complex attacks require complex investigations. Certainly the attackers here spent much time and effort probing systems and escalating their privileges. It’s been reported the attackers used as many as 30 web shells and about 35 IP addresses for accessing the network. The investigation of this size and scope is expensive. Even if Equifax has a pre-negotiated agreement with Mandiant – the same provider they turned to earlier this year for another breach investigation – this is going to end up costing a lot of money.
• This will be covered no doubt, but the extent of how much of the tab will be picked up by insurance is definitely at question. Beazley has provided some great claims data previously, and has highlighted that some of the most expensive parts of dealing with a breach are the Forensic Costs. As such, you can expect to find sub-limits on forensic costs in many policies. If there is a cap in the Beazley policy, and if that very same policy has already paid for Manidant’s investigation of the March event, there may not be much left to cover Mandiant’s fees related to this breach. This is another situation that opens to the door to the question of whether the dollars available to respond are contained in the primary layer of coverage or if the other layers above Beazley will drop down and pick up where the primary coverage ends.

Notification Costs

• Forensics isn’t the only cost driver. Significant expenses can come from notifying impacted persons that their information has been compromised. Equifax initially chose to make the breach known through media outlets rather than send snail-mail notifications. However, since the initial announcement notification letters have begun popping up on breach reporting sites. How many have actually been mailed out is another question. Under many of the data breach laws there are exceptions that can be made for alternative notifications such as when the organization lacks sufficient information to reach a customer by mail.  Since addresses are a part of a person’s credit records, it is very hard to believe Equifax wouldn’t have the information necessary to send letters.
• Once mailings start in earnest, there will obviously be a cost for someone – most likely an attorney – to write the letter, get it printed, stuffed into envelopes, and postage paid. The less obvious cost here is the time it can take for attorneys to coordinate notification across all 50 states. Much like cyber policies themselves, breach notification rules vary from state to state, with different timing requirements and differing requirements for what type of information must be included in the letter. There have been on-again off-again efforts over the years to move to a national breach notification standard but such bills have not made much headway in the past. The Equifax breach might just change that. H.R.3806 has been introduced to establish a national data breach notification standard, and other purposes were introduced on 9/18/2017 by Rep. James Langevin and co-sponsored by Rep. Ted Lieu.

Credit Monitoring & Freezes

• We have already discussed monitoring at length, and it will be interesting to see the costs and how they are handled.
• Typically credit freezes have not been covered by most carriers, so whether or not this made it into the policy is unsure but unlikely.

Call Center

• Any time you have a breach, even a small one, let alone one that impacts 143 million people, you are going to have people that are upset and want to talk to someone on the phone to get their questions answered.
• Cyber policies typically have coverage for crisis communications such as call centers, and the costs are usually based on either per phone call or the amount of staffing that is required.
• Equifax has a call center set up and it had some initial issues (much like the rest of their original breach response) but they stated that they “had tripled the size of its call center team to more than 2,000 agents, with more to be added.”
• No matter how you slice it, by call or by staff, this expense is going to add up quickly. Granted at some point it will slow as call volume decreases and less staff is required.

Regulatory Fines and Penalties

• Whenever there is a statutory obligation to protect data, you can bet there is a governmental agency tasked with enforcing that obligation. Lack of empathy for the victims, perceived lackadaisical security practices, or many millions of people impacted all act as red flags for catching regulators attention and the Equifax breach has all three in spades. So expect a spat of regulatory actions in the coming months. We have seen quite a few similar incidents on the HIPAA/Hitech side, but nothing quite yet on the breach side outside of a smattering of FTC enforcement actions. In a signal of things to come, the FTC did take the unusual step of confirming they have already started an investigation into the breach.
• This breach certainly has the potential to generate punitive fines or penalties from the authorities but it will take some time for those the develop.

PCI Fines and Assessments

• Any time there is a breach including credit cards there is potential for PCI related penalties. Upwards of 200,000 payment card details were also compromised, which should trigger some backlash as to whether Equifax was compliant with the PCI Data Security Standard at the time of the breach. It will take some time for that to be reviewed and any actions to come out of it, but it should be expected. Note that Equifax is on the PCI Security Standards Council.
• There may be costs to reissue credit and debit cards.
• There is also a potential that there will be fraudulent credit card transactions based on a smaller number of compromised credit cards. There are PCI assessments (not a risk assessment) that Equifax could be made to pay and the possibility of charge-backs to cover subsequent fraudulent charges. It should be noted that not all cyber policies in the market have this coverage, so Equifax may be on their own to pay these bills.
• It has been shared that Equifax has violated PCI, since they were historical transactions.

What costs do we not expect the policy to cover or other gotchas Equifax may face?

We have to remember that without seeing the policy wording, it is very hard to know the exact coverage for this tower. But there are some typical things that are not usually covered as well as some “gotchas” that Equifax might experience when they read the find print of their policy.

Company Reputation

• This is a typical ‘no cyber coverage’ for your tarnished reputation or diminished brand value. While there has most certainly been an impact to the Equifax brand, there is nothing they will be able to recover from their policy. There may be some crisis management coverage to assist with the costs for the firm they have retained to help them clean up there image, but they will not be able to claim a monetary amount for their bruised reputation.

Stock Fluctuations

• There is typically no cyber coverage for this type of issue.

Valuation Impact

• There is typically no cyber coverage for this type of issue either. While Equifax has lost approximately $4B in valuation since the breach, there will be nothing that the cyber policy will do to help recover this loss, not to mention that the stock may recover in the coming year.

Co-insurance Clauses

• There are situations where the policy wording will be exactly what is needed for an organization, and even on the declarations page the coverage limits are what you believe are proper as well. But buried in the policy you will find a co-insurance clause hidden. This has been something that has been notoriously overlooked and companies that believe they have a certain amount in coverage, come to the unfortunately realization that yes they do have that amount, but they are required to pay a certain percentage of the costs as well.

Exclusions

• In some cases carriers will add exclusions to their policies for coverages that they feel are high risk. Given that Equifax may have been considered a higher hazard class of business there may have been some additional coverages that were not included that would normally be covered for other classes or business.

Sublimits

• Sub-limits are commonly used to help control coverage parts that are deemed to be more risky or likely to be exhausted more quickly than others. Sub-limits will be an area to watch closely as they could dictate how much additional coverage in the tower is available after the first layer is exhausted.

What other Equifax insurance coverage in place might respond?

As we have written about previously, there is a big difference between a Cyber Insurance Policy and General Liability or other professional liability lines. There have been quite a few cases that made it clear there would be no cyber coverage under other types of insurance, and then of course other rulings that left the door open for potential coverage. A company the size of Equifax is sure to have other insurance policies and with the massive impact this has already incurred, they will most likely be looking at all of the coverage in place to see what other assistance outside of the dedicate cyber tower they can find – including their General Liability (GL) policy, Errors & Omissions (E&O), and Directors and Officers (D&O) policies. We wanted to take a moment to discuss the D&O potential and share some thoughts.

• D&O coverage definition from Wikipedia:
  • Directors and officers liability Insurance (often called “D&O”) is liability insurance payable to the directors and officers of a company, or to the organization(s) itself, as indemnification (reimbursement) for losses or advancement of defense costs in the event an insured suffers such a loss as a result of a legal action brought for alleged wrongful acts in their capacity as directors and officers. Such coverage can extend to defense costs arising out of criminal and regulatory investigations/trials as well; in fact, often civil and criminal actions are brought against directors/officers simultaneously. Intentional illegal acts, however, are typically not covered under D&O policies.
• We aren’t currently aware of what D&O policy or tower may be in place. We have asked around but haven’t had any feedback yet. If you have some insight that you would like to share, send us a message!
• There is a good change that they have a D&O tower in place, as it makes sense for a publicly traded company like Equifax to carry this coverage.
• There are quite a few things that have come out about the Equifax breach that will lead to the questions regarding what the Executives have done or not done (even ignored!) as it relates to this breach.
• There have apparently been warnings to Equifax about issues for quite some time it appears with no action. One item that was publicly shown was that there were security issues with how the pins were issues using the timestamp.
• The impact to the company has been massive already, with a staggering $4B valuation drop, and the potential is larger with the forecasted losses moving forward.
  • There may be several lawsuits related to the notion that the executives didn’t invest in security heavily enough or response to documented issues putting the company at risk.
• We have covered that the executives that sold stock right before the breach and how that was viewed as very sketchy and potentially illegal. We knew it was coming and as expected, there is now a criminal investigation being conducted by the SEC. While a D&O policy may exclude this at some point (ie: criminal activity) they for the most part with provide defense costs.

Does Equifax have any reasonable excuse or defense that this breach occurred?

If you have ever read any of our Data Breach QuickView reports, you know that data breaches continue to happen at alarming rates. There is no organization that is immune to a breach, and many companies that take security very seriously can still find themselves in an unfortunate situation. As more pressure mounts against Equifax, we wanted to provide some thoughts on how we believe things will play out as they try to defend themselves.

• If you ask consumers or any person you speak to for that matter, basically the verdict has been decided – there is no excuse from Equifax and people are genuinely angry.
• While the courts will ultimately decide the outcome, it is pretty clear that Equifax is in an uphill battle to try to justify their security posture.
• What we have seen so far, we believe it makes it extremely hard for them to defend themselves and convince people that they had in fact implemented the right amount of security.
• Even points that are being heavily used against them such as the failure to patch the vulnerability that opened the door into their system, are in fact decently normal for many other companies, it’s just too hard to convince someone that it is acceptable (and let’s be honest it really isn’t!)
• While they had a Chief Security Officer (CSO), which is always a good thing, there are too many signs that an information security program was not properly implemented.
• On the topic of the CSO, some are pointing out that her educational background is in music. While those of us in the security industry know that the degree you have means very little for the most part, when explaining this to other professions where a degree carries more weight can be problematic.
• When we look at Cyber Risk Analytics we see that Equifax has been no stranger to previous data breaches, they currently have 18 breaches that we have tracked.
• Patching security vulnerabilities in an environment as expansive as Equifax’s is a herculean task. But just try telling someone that isn’t in IT that a known security patch was available for 4 months and yet Equifax hadn’t gotten around to implementing it throughout their organization. When you see their reaction you know that is how the courts, a jury, and other non-IT people will react, in horror.
• In looking at the timeline of events, it took Equifax 117 Days to notify the public. If they really cared about the victims, wouldn’t they have notified them faster?
• The breach response was so horrible, it creates the appearance Equifax didn’t take it seriously enough to try to protect those affected.

Whether you believe any of these points or not, the list keeps growing and is going to put Equifax in an almost impossible situation trying to justify that they did everything possible to protect those affected by the unauthorized access.

What happens to cyber insurance now that we have had the Equifax breach?

With confirmation that Equifax had a cyber liability insurance policy in place, a breach of this magnitude has been thought to quickly exhaust the policy and will likely lead to a “hardening” of cyber insurance rates. When a breach of this size occurs, for the most part it tends to have an impact on pricing for all buyers and in some cases can lead to insurance carriers halting coverage for certain classes of business.  

Hard Cyber Market

• In the insurance world the words Hard and Soft Market get tossed around all the time. In a “soft” market, the appropriate price for coverage is difficult to get, with competition between carriers driving down prices as they fight to write the same business. Cyber insurance is much like the rest of the industry for the most part has been in a “Soft Market” for a long time. When there are substantial losses, pricing “hardens” as competition wanes. In other words, it is an opportunity for carriers to increase their rates. It is unclear that this is one of those events. With so many other breaches occurring with no effect on pricing, we don’t believe that the Equifax breach will change rates nearly as much as it should.

Increased Cyber Insurance Adoption

• The current adoption of cyber insurance has been slow thus far but increasing, but when reviewing the market as a whole the numbers are still very low. There is a long way to go until cyber insurance is fully accepted and furthermore, widely purchased.
• With the rise of Ransomware we have seen a lot more questions and interest in cyber insurance this year, and specifically it has been rumored that after WannaCry the market would increase pretty dramatically.
• 2017 has had more than its share of big events. If ever there was a wakeup call for companies to integrate cyber insurance, 2017 is it. Leaders can no longer claim they didn’t hear the alarm! To be fair, we seem to say this a lot!

We have long supported cyber insurance as a valuable tool for helping to mitigate the financial fallout of a data breach and a valuable resource for companies when they have to respond to a data breach. Like most complex contracts, all insurance policies come with terms and conditions that can influence how much is paid once the dust settles. That said, it should be a key element of every risk manager’s strategy for data breach response and recovery. Only time will tell where this particular aspect of the Equifax story will lead but we expect there will be substantial costs.  It will be interesting to follow further disclosures when it comes to their exact expense line items and more specific how much of those actual costs will be offset by Cyber Liability insurance.

What we can say for sure is that, at this point, there are enough questions swirling around the curious nature of Equifax’s coverage that it probably won’t make a good example for the cyber insurance coverage. Any bashing of cyber coverage based solely on the Equifax experience would be misguided.

Updated Timeline, Phishing, Regulation, and a Roundup

There continues to be fallout after the Equifax breach reported on September 7th. Here are some of the highlights and focused topics.

Running Timeline (Updated)

As the events continue to unfold, people are taking an increased interest in the amount of days that passed between two events, such as the days between when the vulnerability exploited by attackers was disclosed and the date the weakness was fixed. Known as the “time to patch”, this metric centers around how long it takes for the organization to determine, at least in their minds, the company was diligent in addressing the vulnerability. To help everyone with this, we’ll be maintaining a running timeline of the events with references. This is our first update to the timeline with additional dates and events.

• 2017-02-14 – Apache notified of the vulnerability (ref: email between Flashpoint / Apache)
• 2017-02-18 – Apache assigns a CVE ID (ref: email between Flashpoint / Apache)
• 2017-03-06 – Apache announced and released upgrade to resolve vulnerability (ref)
• 2017-03-07 – Vulnerability published in VulnDB (ref)
• 2017-03-07 – Exploit published (ref)
• 2017-03-10 – MITRE opens up CVE ID with description and 7 references (ref)
• 2017-03-10 – NVD adds to their database via CVE. No updates since (ref)
• 2017-03-10 – Alleged Equifax breach occurred according to recent reporting (ref)
• 2017-03-14 – CERT releases advisory on vulnerability (ref)
• 2017-03-14 – Equifax says they are aware of the vulnerability (ref)
• 2017-05-13 – Equifax breach occurred, per statement from the company (ref)
• 2017-07-29 – Equifax detected breach (ref)
• 2017-07-30 – Equifax patched the vulnerability (ref)
• 2017-08-01 – Equifax CFO and President of US Information Solutions sold stock shares (ref)
• 2017-08-02 – Equifax President of Workforce Solutions sold stock shares (ref)
• 2017-08-02 – Equifax contacted Mandiant to help with incident response (ref)
• 2017-08-10 – Equifax acquires ID Watchdog, an identity theft protection service provider (ref)
• 2017-09-07 – Equifax notified public of breach (ref)
• 2017-09-07 – First class-action lawsuit filed against Equifax (ref)
• 2017-09-15 – Equifax CSO & CIO ‘retire’ (ref)
• 2017-09-19 – Massachusetts AG files lawsuit against Equifax (ref)
• 2017-09-20 – Equifax names interim CSO & CIO (ref)

Equifax Specific Metrics

• Equifax time to patch: 138 Days
• Equifax time to notice compromise: 78 Days
• Equifax time to notify public: 117 Days

Apache Struts Software Vulnerability Metrics

As more information becomes available about the Struts vulnerability we also continue to track detailed timelines in our VulnDB service. Flashpoint created a framework called Vulnerability Timeline and Exposure Metrics (VTEM) that defines and provides guidance for vulnerability timeline tracking and metric calculations to assist in the evaluation of vendors and products to better understand an organization’s exposure.

We know that that ‘Struts-Shock’ vulnerability had the following key metrics:

• Vendor Response Time – To demonstrate the vendor’s response time from being informed about an issue to responding to a researcher. This is only the initial response, but not an automated response.
  • Unknown (Apache did not include that in the timeline they sent us.)
• Time to Patch – To demonstrate the vendors response time from being informed of a vulnerability until to having a working fix published for customers.
  • 20 days
• Time to Exploit – To demonstrate the amount of time from when vendor provided the solution until an exploit became publicly available.
  • 1 day

Overall, we have tracked a total of 75 vulnerabilities in Apache Struts, with eight vulnerabilities not having a CVE ID assignment.  

We looked at the overall VTEM Metrics for Struts and wanted to call attention to two specific metrics. The first is Vendor Response Time; while we don’t have the dates to calculate it for the Struts-Shock vulnerability, we can see that the Apache Foundation on the whole is very responsive to researchers that contact them. While the sample size is low, only seven vulnerabilities out of the 75 can we calculate a metric, we see that on average it takes them just one day to respond. That is great to see! We can also see that the Struts-Shock was fixed much quicker (20 days) than it typically takes since their average is 92 days.

Equifax Breach Earlier Than Initially Stated?

The Wall Street Journal published an article based on a leaked preliminary report by Mandiant, who was brought in to determine the scope and method of the Equifax breach. The report, summarized in the article, alleges several new aspects of the breach that are interesting:

• Mandiant says the first evidence of hacker “interaction” occurred on March 10th, considerably earlier than May 29thas Equifax originally stated.
• Between May 13th and late July, the intruders accessed sensitive information “stored in databases in an Equifax legacy environment”.
• The intruders also compromised two systems that support Equifax’s online dispute application.
• The attackers set up “about 30 web shells” (a method of keeping persistent access to a compromised host) that were accessed from around 35 “distinct public IP addresses”.
• According to Mandiant, the attackers methods and tools do not match any “threat actor group” it tracks, and does not “overlap with those seen in previous investigations by the firm”.

It is difficult to say why there is such a large discrepancy between compromise dates given by Equifax and Mandiant. One possibility is that Equifax’s internal teams found evidence going back to May 29th, while Mandiant’s team who has more experience investigating breaches found evidence going back to March 10th. Another possibility is that the first intrusion into the system took place in March but the data itself was not compromised until May, prompting Equifax to report the date of data compromise instead of the first occurrence date. Regardless, with this type of compromise and presence of that many web shell backdoors, it is making more people wonder exactly what FireEye’s security products were supposed to protect them from if not 0-day vulnerabilities (Struts-Shock) and the web shells.

Perhaps the most confusing part of this recent development is Equifax’s lack of clarity around the March event. They have been adamant in claiming that these were two separate breaches. Indeed, an Equifax subsidiary, Equifax Workforce Solutions also known as TALX, was breached earlier this year in March. The attackers were able to guess at – and reset – account administrators PINs, and by doing so gain access to W2 details on thousands of individuals. If in fact this is the March event Equifax is referring to, then there is reason to believe it is unrelated to the May intrusion.  

However, according to Bloomberg, Equifax said the “March breach was not related to the hack that exposed the personal and financial data on 143 million U.S. consumers, but one of the people said the breaches involve the same intruders.” This statement simply does not make sense. Looking back at the timeline, they confirmed the method of compromise and the dates show that a single attacking group/person could have kept access and consistently gained access to more servers and information. If the March intrusion is not the TALX event, then nothing published so far explains how this would be “two separate breaches” and why that claim is justified if the same actor(s) were involved the entire time.

Equifax Recommends Phishing Site to Victims

On the day Equifax announced the breach, they set up a website (equifaxsecurity2017.com) to help inform customers of what happened and provide resources. As we mentioned in a previous blog, it is a given that criminals would set up similar domains to carry out phishing attacks and other scams (here’s a handy list). What no one expected is that Equifax, via its Twitter account, started directing people to one of the bogus sites (securityequifax2017.com). Fortunately for Equifax, that particular scam site was set up by security researcher Nick Sweeting to help prove the point of using such websites after a breach. Even worse, Equifax has been directing people to the bogus site since September 11th and just removed those Tweets on the 19th. ArsTechnica wrote more about this dreadful mistake, as did CNN.

Bob McMillan points out that the actual domain Equifax set up is hard to find. If you Google for a common term that an ordinary person might search for, that site doesn’t appear on the first page. Even as Equifax learns their lessons with the Tweets, they are still sending out emails with multiple domains which “continues to train people to fall for phishing scams” according to Brian Krebs.

Data for Sale Again? Tracking the Alleged Criminals.

The first claim from criminals purporting to sell stolen Equifax data turned out to be false. In recent days, a second claim has appeared on the Dark Web (equihxbdrjn5czx2.onion). Like the first, someone claims to have the Equifax data and will crowdsource the money they want to publicly release the data. Security researcher ‘Krypt3ia’ posted about this development along with his doubts (note: that link is safe despite Chrome’s warning). Steve Ragan also expressed his doubts, saying the sample data had been previously released, suggesting it came from a prior breach.

Someone who goes by ‘AKM’, or @037 on Twitter, posted a blog titled “How Equifax got Hacked” which claims to give further information about the hack, supports the new claim of Equifax data being sold, and offers a variety of screenshots as evidence. This blog is based on their conversation with the alleged hackers, where AKM was able to ask questions and share the answers. However, Brian Krebs points out that the screenshots mentioned are likely from an Equifax partner, not Equifax itself. Zack Whittaker posted a thread on Twitter reminding everyone of accepting such claims without verification and more digging.

Is Government Regulation the Answer?

After a large computer breach a question that comes up with increasing frequency is that of government regulation. If companies operated under security regulations set forth by the government, would this prevent breaches? Security blogger Bruce Schneier wrote on this topic, concluding “if you want to prevent this kind of thing from happening again, your only solution is government regulation”. Over the entire blog however, he doesn’t offer any compelling argument supporting this statement other than the age-old “raise the cost” through fines. As mentioned in a previous blog of ours, the General Data Protection Regulation (GDPR) shows promise to put a financial burden on companies that may change their tolerance of breaches. With that going into effect in 2018, the talk of government regulation is a no-brainer, more so than the last decade it has been brought up.

More interesting is that Anna Slomovic, the Equifax Chief Privacy Officer (CPO) for three years until January, 2014, agrees. In a blog post, she says “given the nature of credit reporting, only action by the Congress and diligent regulatory oversight will lead to a better balance for consumers in the long term.” This statement is more telling coming from an Equifax insider who had to face the fallout of their security practices for three years. Even the National Retail Federation says that a uniform data breach law must be enacted; while that would certainly be helpful, that only helps after a breach has happened as conforming to a unified law is considerably easier than adhering to more than 50 separate state laws. But note, in 2017, the U.S. government hasn’t even standardized breach notification, let alone put forth more strict regulations.

That said, it is difficult for some of us at RBS to really understand this logic in the bigger picture. First, the security and payment card industry has tried to self-regulate via the Payment Card Industry Data Security Standard (PCI-DSS)standards which mandate a certain level of security. While many in the industry feel it is essentially the “no child left behind” of security standards, it is exactly the kind of regulations the U.S. government might put forth.

Second, the industry is already drowning in security regulations, many put forth by the U.S. government. In addition to PCI-DSS, depending on your business and industry, you may fall under the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley Act (SOX), Federal Information Security Management Act of 2002 (FISMA), Electronic Fund Transfer Act Regulation E (EFTA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and more. Have any of these regulations or standards, or a combination of them, truly made an organization safe? With so much government regulation already in place, it is difficult to understand how generic statements of “we need government regulation” have any merit without proposing something more specific.

Third, and finally, how has government regulation worked for other industries? Specifically, think about big banks and Wall Street that routinely breaks laws or regulations, as the fines and ‘punishment’ they face are part of their bottom line and expected. Think about the energy industry and the massive oil spills that still do irrevocable harm to our environment and the ‘punishment’ they receive. Years after these companies flagrantly break rules and regulations, and sometimes the law, we see summaries like this; “None of the charges against individuals resulted in any prison time, and no charges were levied against upper level executives.”

With the credit bureaus having incredible financial resources, does anyone think that they don’t already have an incredible lobby? We’ve previously covered Equifax spending upwards of $500,000 in a year lobbying Congress to change the law in their favor. If more regulations appear that would impact them, we can also expect to see them increase their lobbying budget. So, do we feel that government regulation would have prevented the Equifax breach, or most other breaches? Do we think that such regulation, if enacted, would stop breaches from happening? No.

Update Roundup

As in previous updates, we’d like to share some of the other bits and new developments in a more succinct manner:

• The New York Times published a piece saying that the Equifax hack will “lead to little, if any, punishment”. Based on historical incidents, it’s hard to argue this.
• Brian Krebs points out that Equifax still appears to be in the dark ages regarding user web browser requirements when visiting their site. They may want to consider that no modern user runs Netscape.
• Maura Healey, Massachusetts Attorney General, filed a lawsuit against Equifax for failing to “develop, implement, or maintain a [comprehensive information security program] that met the minimum requirements of the state’s Data Security Regulations”.
• After the Equifax CSO and CIO “retired” following the breach, the company has named an interim CIO (Mark Rohrwasser) and CSO (Russ Ayres). Following the now ‘retired’ CSO and CIO, Equifax’s CEO, Richard Smith, has also announced he is ‘retiring’ which some call an ‘appeasement’ for regulators.
• In the running theme of Equifax having poor security, researchers have pointed out that their servers have a variety of problems related to security headers. Additionally, their credit report monitoring website is also said to be vulnerable to hacking.
• In the irony department, The Reg dug up material produced by Equifax showing that a survey they conducted revealed 74% asked thinks that a breach notification should come within hours or the same day.
• For those impacted by the breach, many are reporting problems while trying to set up credit freezes.

Wrap-up

After recently going for nearly 24 hours without seeing any mention of Equifax on Twitter, it feels like this incident has finally wound down, perhaps fallen out of people’s memory already. Since it has been almost a month since our last update, we’re overdue to give a round-up, and possibly a wrap-up in this blog series. While it has been some time since the last blog, there have certainly been no lack of interesting developments!

Running Timeline

Here are some updates since the last timeline we posted, with additional events for easy reference. 

2017-02-14	Apache notified of the vulnerability (ref: email between Flashpoint / Apache)
2017-02-18	Apache assigns a CVE ID (ref: email between Flashpoint  / Apache)
2017-03-06	Apache announced and released upgrade to resolve vulnerability (ref)
2017-03-07	Vulnerability published in VulnDB (ref)
2017-03-07	Exploit published (ref)
2017-03-10	MITRE opens up CVE ID with description and 7 references (ref)
2017-03-10	NVD adds to their database via CVE. No updates since (ref)
2017-03-10	Alleged Equifax breach occurred according to recent reporting (ref)
2017-03-14	CERT releases advisory on vulnerability (ref)
2017-03-14	Equifax says they are aware of the vulnerability (ref)
2017-05-13	Equifax breach occurred, per statement from the company (ref)
2017-07-29	Equifax detected breach (ref)
2017-07-30	Equifax patched the vulnerability (ref)
2017-08-01	Equifax CFO and Pres. of US Information Solutions both sold stock shares (ref)
2017-08-02	Equifax President of Workforce Solutions sold stock shares (ref)
2017-08-02	Equifax contacted Mandiant to help with incident response (ref)
2017-08-10	Equifax acquires ID Watchdog, an identity theft protection service provider (ref)
2017-09-07	Equifax notified public of breach (ref)
2017-09-07	First class-action lawsuit filed against Equifax (ref)
2017-09-15	Equifax CSO & CIO ‘retire’ (ref)
2017-09-19	Massachusetts AG files lawsuit against Equifax (ref)
2017-09-20	Equifax names interim CSO & CIO (ref)
2017-09-24	Equifax CEO ‘retires’ (ref)
2017-09-27	Equifax names interim CEO (ref)
2017-10-03	Equifax CEO Smith testifies to U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection (ref)
2017-10-04	Equifax CEO Smith testifies to Senate Committee on Banking, Housing, and Urban Affairs (ref)

Equifax Specific Metrics

• Equifax time to patch: 138 Days
• Equifax time to notice compromise: 78 Days
• Equifax time to notify public: 117 Days

Highlights of the Fallout

On October 12, an Equifax web site was found to be serving up adware via a malicious Flash Player download according to Ars Technica. A security researcher who had noticed questionable things on his credit report visited the Equifax site to find that his browser opened up a new tab recommending an Adobe Flash download. Instead of the new tab loading an Adobe web page, it loaded an alternate URL. That site, instead of delivering Adobe Flash, delivered the Adware.Eorezo malware. After investigating, Equifax says that the adware was served up due to a third-party vendor, not a compromise of an Equifax server.

This is another reminder to the digital world of the risk that suppliers play and also why many people are increasingly using ad-blockers. Not to be outdone, TransUnion’s Central America website was also found redirecting users to malware. Earlier this month, news broke that the Internal Revenue Service (IRS) awarded a multi-million dollar fraud-prevention contract to Equifax. Equifax would help the IRS verify taxpayer identities in an effort to help prevent tax-fraud. The IRS was to pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.

Twitter user @alfredwkng offered some explanation about this ordeal before news came out that the IRS temporarily suspended the contract with Equifax. As expected, the now-ex CEO of Equifax Richard Smith was summoned to testify in front of the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection on October 3rd and then the Senate Banking Committee on October 4th.

During the testimony, Smith made several claims that were interesting and questionable to say the least. First, he confirmed that the compromised data wasn’t encrypted (which is a violation of PCI regulations). On the suspect side, he also blamed the entire data breach, some 145 million records, on a single IT employee. He stated that one employee did not install a single patch and that caused the entire breach. While at some really low level that may technically be true, throwing one person under the bus is disingenuous to say the least.

IT programs should never have a single point of failure like that for starters. As Troy Hunt comments, the one person not patching supposedly led to the breach, caused executives to sell shares, caused Equifax to create a dodgy site for consumers afterwards, and everything else? While Smith’s testimony was not very helpful and about what many expected, it did provide some amusement. Someone dressed as Rich Uncle Pennybags from the Monopoly board game photobombed parts of the testimony.

As mentioned, Richard Smith is now the ex-CEO of Equifax, announcing his ‘retirement’ after the hearings. Despite there being a clause in Smith’s severance contract saying they have the ‘right’ to withhold his retirement package, that doesn’t seem to have occurred. According to The Hill, he is expected to collect around USD $90 million for his work there, which “adds up to about 63 cents for each customer who was potentially exposed in the company’s data breach”. The SEC filing with details on his severance terms is available if you are curious about the exact details.

The Lawsuits Keep Coming

As expected, more than 30 state law-enforcement authorities have launched investigations into the Equifax breach, as well as cities such as San Francisco and Chicago. Also no surprise, another multi-state class action lawsuit has been filed against Equifax. Doing a PACER search, as of October 25th, there have been 576 lawsuits filed that pertain to Equifax. Unfortunately it does not make it immediately clear how many suits are filed by or against Equifax, but we’re pretty sure a majority are against.

Additional Details on the Breach

Knowing the initial compromise vector of a breach is pretty rare. Companies tend not to publish precise technical details as to how a breach happened despite that information being of great value to other organizations. As such, any technical information about the attack and how the compromise occurred is welcomed by the Information Security industry. Since the breach became public, more information has come out about the compromise. In an article covering the breach, Bloomberg reported on some of the signs that suggest it was carried out by a Nation-state rather than an individual or single group

[..] as the attack escalated over the following months, that first group—known as an entry crew—handed off to a more sophisticated team of hackers. [..] The handoff to more sophisticated hackers is among the evidence that led some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions in recent years at giant health insurer Anthem Inc. and the U.S. Office of Personnel Management; both were ultimately attributed to hackers working for Chinese intelligence.

While the current attribution and method of attack doesn’t appear to be disputed, Cory Doctorow wrote an article for BoingBoing that points out another bit of interest:

One thing we can attribute the breach to, though, is bungling. Equifax and Mandiant — its independent security contractor — got into “a squabble” just as the hackers were breaking into Equifax’s systems, and by the time everything had been smoothed over, the attackers had installed 30 web-shells in Equifax’s systems, any one of which would allow attackers to have free run of Equifax’s data.

This tidbit has a healthy dose of irony, as Mandiant is well-known for attributing attacks to the Chinese. While there wasn’t any further details published that described the “squabble”, it is odd to hear that their involvement at Equifax helped create an atmosphere that let Chinese hackers in, further, that certainly doesn’t provide any confidence for customers. Bloomberg also covered one other small detail that didn’t get a lot of attention but is certainly interesting:

Besides amassing data on nearly every American adult, the hackers also sought information on specific people. It’s not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value.

Finally, and while it may not be directly related to Equifax, Chris Nickerson pointsout that the recent Deloitte breach, or their involvement, may have contributed to the Equifax breach. Since Deloitte is/was an auditor for Equifax, it makes you wonder if information obtained from Deloitte was used in the Equifax attack or low standards and poor auditing practices was a contributing factor. 

Perhaps the biggest story to break recently is from Lorenzo Franceschi-Bicchierai at MotherBoard, who said that Equifax was warned that due to a vulnerability on their site, a researcher was able to access information on every Equifax customer. Worse, the data was not encrypted and did not require anything more than a pedestrian web-based vulnerability known as ‘forced browsing’. That was one of many vulnerabilities that they discovered including some that granted full access to some Equifax servers. After reporting the issues to Equifax, it took them six months to take the vulnerable site down, leaving that information exposed for anyone else that knew the basics of web app testing and poked at the server.

Update Roundup

Here is a laundry list of quick updates:

• Equifax has since updated its estimates on the number of Brits impacted. Rather than ~ 400 thousand as originally reported, it appears that number is closer to 15.2 million. The current tally of Americans affected is believed to be up ~ 2.5 million, for a total of 145.5 million. Additionally, the information that was leaked may include your salary history according to Brian Krebs.
• Eric Geller from Politico said that Rob Joyce, Special Assistant to the President and Cybersecurity Coordinator, National Security Council, is considering ways to replace the Social Security Number. That is a hefty challenge of course.
• Dan Goodin reminds us that both Equifax and Experian are still making it very difficult for consumers to get a simple credit freeze. On a more positive note, Bloomberg reports that the new Equifax CEO, Paulino do Rego Barros Jr., will offer free credit locks for life. Consumers should also look at their state laws. For example, Twitter user Lucky225pointed out to us that the Colorado Revised Statutes has a section (5-18-112) that states “A consumer reporting agency may not charge a fee for a consumer’s first request to place a security freeze on his or her consumer report.”
• On August 8, CIO Magazine’s Amy Bennett named Equifax Chief Information Officer (CIO) Dave Webb as one of the top 100 CIOs of 2017for “delivering better business results”.
• In the “never let them live this down” department, Twitter posted a job opening for a Senior Application Security Engineer and listed one amusing requirement, which was highly debated: Undergraduate degree or equivalent; music composition degree preferred. Of course, Equifax’s social media team still hasn’t scrubbed some of their own Tweets from the day of the breach announcement, thus keeping the irony alive.
• For those still looking for ways to protect themselves from the breach, make sure you read the fine print! According to the LA Times, LifeLock is offering to protect you… by selling you their service provided by Equifax.

Here are a few updates related to the stock price of Equifax, a follow-up aspect of breaches many are interested in:

• On September 22, an analyst at Wells Fargo has upgraded Equifax from “Market Perform” to “Outperform” status, following a 31% drop in share price since the first breach announcement. The upgrade was made based on “an attractive entry point for this high-quality consumer credit franchise.” While that may be attractive to those who participate in stocks, we assume consumers would like to go a few days without seeing how people are profiting off the breach, including Equifax, while the average consumer suffers.
• Despite the Wells Fargo upgrade status, just two days later shares of Equifax were down 2% more after the new executive chairmen of the board was announced. More curious is that 2% drop prompted share trading in Equifax to be halted, despite being down 25% since the disclosure of the breach. No indication of who halted the trading or why.
• As we have seen historically with many breaches, the initial stock value of the breached entity tends to take a significant hit shortly after the announcement. But in time, often in a matter of months, stock prices tend to slowly climb back to the original price, sometimes higher. Looking at a 3-month snapshot of Equifax, that pattern seems to be emerging.

We will keep tracking the Equifax breach as who knows what new twists and turns await us! But for the most part we don’t expect additional frequent updates at this point.

Manage vulnerabilities with Flashpoint

Sign up for a free trial and see how quality intelligence empowers a vulnerability risk management program, allowing your security teams to prioritize and remediate what really matters.