Remember how Equifax exposed 143 million people to what might be the worst security breach ever? Of course you do. I’ve been saying all along that Equifax has been kind of shady about telling folks about this. Equifax knew about this breach back in July, but we just found out about it last week. Well, there’s something that Equifax has been keeping from us, and I’m not exactly surprised. Equifax learned that the hackers took advantage of a security flaw in the Apache Struts Web Framework. It was this that allowed the hackers to remotely execute code onto Equifax’s system. The bug was revealed in March, along with recommended patches to fix it. Clearly, Equifax didn’t move quickly enough on this, and the result might be catastrophic for some.
I’ve used that word a lot lately. Mostly to describe the impacts of the recent hurricane’s that we’ve been seeing in the south. I think the term is typically used when referring to a physical threat. However, the impacts from the Equifax breach may not be physical, but they could have a negative impact on people. And not just some people, possibly 143 million people. Equifax had the following to say:
Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.
Another interesting piece to all of this, Ars Technica reported that Apache Struts is a “framework for developing Java-based apps that run both front-end and back-end Web servers”, which are extremely popular with financial institutions. Which leads me to wonder how many other institutions are potentially at risk because of this? To clarify, Equifax found out about the possible issue in March, and they did apply a patch at the time. But it wasn’t long until hackers began exposing that vulnerability, and it wasn’t until May that Equifax officially learned about this breach. What’s incredible to me is that this was two full months after they knew about the breach. AND, it had an easy fix.
So what does this actually mean? I guess nothing at this point. There isn’t anything that you can do, other than file a lawsuit. What I’m getting at is that not only did Equifax expose millions of Americans to this leak, but it did so kind of intentionally. Don’t you think? If I get a notification on my computer that says I need to update something. And if said update exposes me to a virus, I have options. The first being that I can apply the update to save my information from being exposed in someway. Or I can choose not to and then I run the risk of getting a virus or whatever the case may be. But that’s my risk, one that I get to choose to take or not to take.
This is a really simple example, but what I’m trying to get at is this idea of risk. Equifax took a huge risk, and not with their own data necessarily. But with the data of millions of Americans. And data that is extremely sensitive. Social Security numbers, names, addresses and even Drivers License data. All made available to hackers, which they knew about. They knew that this was an issue, and they chose to take that risk. I’ve mentioned this several times, but what about the executives that were allowed to sell shares at the end of July? How does that look now? I would say worse. Worse because now we know that they had at least two months to make the decision to sell. As opposed to just days. Which appears more calculated to me.