Equifax: Greed, Lies and Apache STRUTS

As of this morning, more than 30 lawsuits have been filed in the U.S. against Equifax, including one charging the company of securities fraud. It’s likely now that many of those with similar claims will be combined into one big nationwide case.

The New York Attorney General along with attorneys general in Connecticut, Illinois and Pennsylvania have launched investigations into the incident. And in an uncharacteristically rapid response, House Energy and Commerce Committee and Financial Services Committee have announced hearings. All of this and it’s only been a few days since the breach announcement by the credit giant.

In addition to the galactic stupidity the Equifax team has demonstrated throughout this debacle, we have learned about some likely game changing implications. We know that 143 million names, Social Security numbers, birth-dates, addresses - and in some instances, driver's license numbers were stolen by the attackers.

The most significant implication is that using social security numbers for ID in the future is useless. All 143 million of us should assume our personal data is out in the web-o-sphere. And we should assume the thieves are busily creating billions of dollars in loan docs with our identities as you are reading this.

To make matters worse, Equifax’s breach notification website is being flagged as a phishing site by many Cybersecurity software tools which automatically block it from user access. This should not surprise anyone unless you happen to be part of the IT-team Equifax who somehow don’t understand that registering your site using a free, shared CloudFlare SSL certification provides zero security assurances. Why the site wasn’t registered using an Extended Validation Certificate which is used by ALL HTTPS (for “secured”) sites to prove that the legal entity controlling the site is who they claim to be is beyond me.

But in case your company gets breached and you need to set up a breach notification website, please do register the site with an EV cert. At the very least, you will demonstrate that you understand something about Cybersecurity.

As to the disgustingly cynical marketing tactics of trying to sell victims past and present a “TrustedID Premier” account which instead of humbly apologizing for the heinous and criminally negligent failures to protect your personal and sensitive information, allows you for $20 a month to get exactly the same thing you can get for free.

Based on feedback from several who have tried this, it actually doesn’t allow you enroll immediately but adds further insult to injury by asking you to come back on a specific date.

This is an amazing display of chutzpah, matched only perhaps by the non-apology from the soon to be indicted CEO and Chairman, Rick Smith who actually said “"I've told our entire team that our goal can't be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we've made significant investments in data security, we recognize we must do more. And we will. We recently discovered a cybersecurity incident involving consumer information. Once discovered, we acted immediately to stop the intrusion.”

Well, yes I guess … but the intrusion was long over by the time you noticed it, and so technically, I suppose you “stopped it.” The problem was the 6 weeks in between “stopping” it and telling your 143 million victims that their entire identifications had been stolen and that they had a questionable future in store trying to wrestle back their good credit and get out from under fraudulent loans on which they had defaulted.

I don’t think saying that “Oh you know, it was that Equifax thing,” is going to cut it.

And speaking of technology, based on a review of their site, it looks like their troubles began with a curious blend of IBM’s WebSphere, Apache Struts, and Java, which I didn’t think anyone other than your local library branch maybe did any more. As of yesterday, some white hats have found at least one cross-site scripting vulnerability which Equifax has still not patched. But it isn’t likely that the attack would have exploited an XSS vulnerability but probably would have used an RCE and a SQL injection instead. Either way, just executing basic application scanning and testing would have exposed the flaws and highlighted the vulnerabilities. This isn’t rocket science, just good Cybersecurity basics 101.

Rick Smith, chairman and CEO of Equifax is now however doubling down on his stooge act by blaming the Apache software for the breach. In an interview yesterday with an analyst at an investment banking firm, Smith said, “The breach was perpetuated via the Apache STRUTS flaw”, sounding as if he might actually know what he was talking about. If that is the case then the rest of the Fortune 100 companies that use the STRUTS open source software platform, like Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, and Office Depot better watch out.

What an insane thing to say.

It is clear that none of this could be HIS fault. It was the technology. It was those idiots in IT. It was the difficulty of waging a daily war that no one can be expected to win against Cybersecurity risk. It was the unfair media attention. It might have been the Russians. We seem to live now in an era where no one needs to take responsibility for anything.

But I suspect that Mr. Smith and his execs are about to discover that a new version of Cyber-liability is about to be applied to them and they will deserve every last inch that the law will deliver.