September 21, 2017
Equifax’s two cyber breaches, which exposed about 143 million Americans’ personal information, were the work of hackers who took advantage of a flaw in Apache Struts software. The nonprofit Apache Software Foundation and the U.S. Computer Emergency Readiness Team warned of the bug in early March, but Equifax only alerted its end users on September 7, almost five months later. IT experts say the event highlights the challenges in keeping software current and identifying all potentially vulnerable applications.
The Wall Street Journal reports that, “IT executives say they have drawn lessons from the unfolding Equifax saga and other recent breaches.” The Texas A&M University system includes 14 universities and eight state agencies. According to CISO Danny Miller, “the challenge is to minimize the size and scope of those breaches, and to be honest, not to be the next guy that gets breached.”
He is urging “members of the system to stop using social security numbers as key identifiers of employees and students,” but rather “universal identifying numbers that have no real value beyond the university, reducing the incentive to steal them.” Miller said the other key is to “focus on application security.”
“We need to … accurately adjudge risk and apply risk management strategies and practices to the higher risk areas and still follow disciplined standards,” he said.
A 2016 Gartner report found that, “cyber and information security were cited less by CIOs as a top priority” as opposed to “technology initiatives such as analytics, cloud services and infrastructure.” But Los Angeles City CIO Ted Ross says its importance on the agenda is rising. “Like insurance or physical security investments, it can be hard to justify the expense and yet those that are breached wished they invested so much more when they had the chance,” he said. “This always raises the question of how much is enough and can be a tricky equation to balance.”
Also in WSJ, Massachusetts’ attorney general Maura Healey filed a suit against Equifax’s “failure to protect consumers’ personal information,” the first “official enforcement action” against the company. Healey alleges that almost three million Massachusetts residents were “potentially compromised by the hack,” and that the company “knew about the vulnerabilities in its system for months.”
Attorneys from Connecticut, Illinois, New York and Pennsylvania are already asking Equifax for information. The Federal Trade Commission and FBI are also investigating the breach, and “more than 300 consumer lawsuits have been filed” this month, many “bringing their claims under the Fair Credit Reporting Act, a 1970 federal law that imposes data-security requirements on consumer-reporting firms.”
Equifax reports the company is now “in regular communication and cooperating with federal agencies, regulators and state attorneys generals,” and “has also agreed to provide testimony to Congress.”
Bloomberg says that Equifax “announced the retirement of two of its top security executives on Friday.” Because the company executives knew about the breach in March, those who made “a series of unusual stock sales … could be vulnerable to charges of insider trading.” Sources report that the U.S. Justice Department is investigating these sales. “New questions about Equifax’s timeline” will also play an important role in light of the “crush of lawsuits being filed against the Atlanta-based company.”
Hackers Entered Equifax Systems in March, The Wall Street Journal, 9/20/17