Equifax

Data Breach Analysis Linlan Chen

Rouying Tang
Mustafa Aydin
Somayeh Keshtkar
Khawlah Alswailem
Adam M Joskowicz
2

Agenda
▸ Equifax Background
▸ What Happened?
▸ How Happened?
▸ Impact to the Business
▸ Missing Controls
▸ Recommendation
▸ References
3
Equifax background and industry
4

Achievements for the company

▸ Top 100 American Banker FinTech Forward list (2015-2016)

▸ Top Technology Provider on the FinTech 100 list (2004-2016)

▸ InformationWeek Elite 100 Winner (2014-2015)

▸ Top Workplace by Atlanta Journal Constitution (2013-2017)

▸ One of Fortune’s World’s Most Admired Companies (2011-2015)

▸ One of Forbes’ World’s 100 Most Innovative Companies (2015-2017)

5
Information

▸Names

▸Social Security numbers

▸Birth dates, addresses

▸In some instances, driver’s license numbers

▸Credit cards
6
Company Timeline
7
What happened?

 On Sept. 7, 2017, Equifax, discovered the application vulnerability on one

of their websites led to a data breach that exposed

 The breach was discovered on July 29

 Equifax suffered the largest data breaches ever that affected about 143
million consumers in the US. UK and Canada was influenced as well

 209.000 people’s credit card numbers and 182,000 personal identifying

information are stolen
8
How happened?

 Tool called Apache Struts

 Equifax aware the vulnerabilities

 Took a long time for the vulnerability to be identified and to be patched

 A month to alert its customers and shareholders about the hack

9
Root Cause of the Issue

Attackers entered Equifax's system in mid-May through a web-application vulnerability that

had a patch available in March.
The vulnerability that attackers exploited to access Equifax's system was in the Apache Struts
web-application software, a widely used enterprise platform.
CVE-2017-5638 Apache Struts vulnerability is the root cause behind Equifax data breach.
10
Root Cause of the Issue
11
Root Cause of the Issue

“Patching can take time, even for large corporations with dedicated security staff, which
Equifax presumably had.”
The process of patching the flaw isn’t as simple as just downloading.
▸Vulnerability Identification and Patch Acquisition
▸Risk Assessment and Prioritization
▸Patch Testing
▸Patch Deployment and Verification
The Equifax data compromise was due to Equifax's failure to install the security updates
provided in a timely manner.
12

Consequences | Impact to the business

▸ Impact on Consumers:
▹ 143 million US consumers:
▹ Social Security Numbers
▹ Drivers’ License Numbers
▹ Birthdates
▹ Addresses
▹ Credit Card Numbers
▹ Affecting at least 44% of American Population
▹ Equifax added that 209,000 credit card numbers were stolen, in addition to "certain dispute
documents with PII for approximately 182,000 U.S. consumers.

▹ Others in the U.K. and Canada were also impacted, but Equifax hasn't said how many.
13
Consequences | Impact to the business
▸ Financial Loss
▹ Estimated: After insurance, costs tied to dealing with crisis could run between
$200 million and $300 million.
▹ According to attorneys in Chicago:
▹ Equifax will pay more than $1 billion
▹ Most of the cash going directly to those affected.
▹ Offering 12 months free Trusted ID Premier credit monitoring

▸ Investors
▹ Wall Street has rendered an estimate:
▹ $4 billion lost stock market value
▹ Equifax shares have dropped over 20%
▹ Investors are bracing for lawsuits, lost business, and increased regulation.
▹ Three Equifax top executives sold shares in company days after breach was
discovered, but not announced...
14
Consequences | Impact to the business

▸ Reputational Loss

▹ CFO: John Gamble Jr.

▹ Workforce Solutions President: Rodolfo Ploder
▹ U.S. Information Solutions President: Joseph Loughran
▹ Combined, sold nearly $2 million in shares in the company days after cyber attack

▹ Congressional Scrutiny
▹ Justice Dept, SEC Holding Open Investigation
▹ Multiple Hearings
▹ Ex CEO Richard Smith set to testify before four
separate congressional committees
15
Consequences | Impact to the business
16
Consequences | Impact to the business

▸ Eric Schneiderman
NY Attorney General

▸ Took action publically and privately

▸ One of many public figures that

publically criticized Equifax on the
weak apology as well as the
embedded language.
17

Missing Controls

1. Patch Management Governance

Patch management should be based on an assessment that balances the security and
down time risk of a security breach with the cost, disruption and availability risks
associated with frequent and rapid deployment of software patches.
18

Missing Controls

2. Defense in Depth
Using a typical web application architecture without enough defense in depth.
The web application has full read and write access to the underlying data store. The web
application code is the sole arbiter of access.
19

Missing Controls

3. Inefficiency of applying IDS (Intrusion Detection System) or IPS (Intrusion

Prevention System)

▸Executives should give power to risk assessment management [teams] and hire reputable
third parties to audit their security policies.

▸Equifax could have patched the vulnerability or received alerts through an IDS (Intrusion
Detection System) or IPS (Intrusion Prevention System). Both are built to detect network
behavioral changes, so if a company has segmentation in place, they can kill a network
connection where needed to avoid losing vital data.
20

Recommendation

“ Effective cybersecurity requires consistent, comprehensive, timely patch management

for all of your critical clients, servers, applications, and operating systems.”

The first five of these Controls, listed below, can eliminate the vast majority of cybersecurity
vulnerabilities. And patch management is essential to maintaining secure hardware and
software configurations.
1.Inventory of Authorized and Unauthorized Devices
2.Inventory of Authorized and Unauthorized Software
3.Secure Configurations for Hardware and Software
4.Continuous Vulnerability Assessment and Remediation
5.Controlled Use of Administrative Privileges
21

CONCLUSION

● Data breach.

We need pay more attention on protecting the confidential

information!!!
22
REFERENCES

http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html
http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html

http://www.equifax.com/about-equifax/company-profile/

https://en.wikipedia.org/wiki/Equifax

https://www.consumerreports.org/privacy/what-consumers-need-to-know-about-the-equifax-data-breach/

http://eservellc.com/equifax-data-breach-go-wrong

https://www.ivanti.com/blog/equifax-breach-patch-management-cybersecurity/

https://rietta.com/blog/2017/09/18/equifax-defense-in-depth/#equifax-announcement

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=29972
Questions?

THANKS!