Senior officials at many organizations are able to escape the fallout from data breaches, at least publicly. However, when the breach reaches a certain size some firms have to show the public they’re taking the catastrophe seriously.
That appears to be the case at Equifax, which announced at the close of last week that chief security officer Susan Mauldin and chief information officer David Webb have retired. Mark Rohrwasser, who has led the credit scoring company’s international IT operations, is now interim CIO, and Russ Ayres, who was vice-president of IT, is now the interim CSO reporting to Rohrwasser.
The change comes after Equifax admitted that a threat actor had used a server with an unpatched Adobe Struts vulnerability in May to gain access to personal data of more than 143 million consumers. Most of them are Americans. However, the U.K. division of the company says data on 400,000 of its customers may have been exposed.
Struts is a free open-source framework used for creating Java web applications.
In its Sept. 15 statement, Equifax says its security team knew about the vulnerability when it was disclosed in early March by U.S. CERT (Computer Emergency Response Team) and “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”
Equifax says its investigation is still ongoing, but apparently for some unexplained reason at least one of the company’s servers wasn’t fixed.
Meanwhile, officials at Equifax Canada are still keeping mum on the number of Canadians whose data may have been exposed. According to CBC News, as a precaution the Canadian Automobile Association (CAA) is notifying Canadian 10,000 members the breach may involve their data. That’s because it partnered with Equifax for the CAA’s identity protection program, and those who signed up for it would have had their personal data stored in the U.S.
The CAA deal with Equifax expired July 1, but by then it is believed the breach had already started.
One expert quoted by Global News also noted that Canadians who might have been affected live and work in the U.S. They might have had their credit history pulled in Canada for various reasons such as including when applying for a U.S. credit card, or by a potential employer or landlord.
The admission that the attack vector was an unpatched Adobe Struts vulnerability first made public through a fix in March — and Equifax figures the attack began in May — further highlights that holes and patches for Web applications and their related infrastructure have to be watched by the c-suite and their security staff. In a quarterly report last week Positive Technologies, which makes an application firewall, says customer data shows cross site scripting accounted for just over 39 per cent of application attacks in Q2, with SQL injection attacks adding another 24.9 per cent.
The report includes a brief description and screen shot of the Adobe Struts vulnerability Equifax fell victim to. It allows attackers to execute arbitrary code on a server by changing the Content-Type HTTP header.
“After vulnerabilities have been detected and made public, many web applications remain vulnerable due to failure to stay up to date with system updates and patches,” the vendor says. “Attackers are quick to make use of newly published vulnerabilities, weaponizing them within days.”
In its updated timeline of the attack Equifax says that on July 29 its security team saw suspicious network traffic associated with its U.S. online dispute portal web application. That traffic was blocked, but when the suspicious activity continued July 30 the affected web application was taken offline. After investigating the vulnerability in the Apache Struts web application framework was found.
A forensic firm was called in for detailed analysis. On Sept. 7 Equifax announced there had been a breach and there would be a support packaged for affected customers, including free credit monitoring and identity theft insurance.
The attack is far from being buried. In the U.S. Congress the House Committee on Science, Space, and Technology, and the House Committee on Oversight and Government Reform are going to investigate. Equifax CEO Richard Smith will testify before a House panel on Oct. 3. There is also a probe underway by the Federal Trade Commission.
In Canada the federal privacy commissioner’s office is also looking into the breach.