Equifax Rated ‘F’ in Application Security Before Breach

One of the biggest data security and privacy nightmares became real for millions of Americans last week as news broke that Equifax, one of the three major credit reporting agencies in the United States, made it public that attackers had successfully broken into its systems and potentially gained access to the personal information of more than 143 million consumers.

If a September 8, 2017, report from security risk ratings provider BitSight Technologies, and obtained by SecurityBoulevard*, is accurate hints of Equifax slipping in its security efforts have been present for months. In its “BitSight Security Ratings Report for Equifax Inc.,” BitSight graded Equifax an F in Application Security and a D in Patching Cadence, and a C in SPF Domains. In all other 11 categories that directly impact BitSight’s Security Ratings, Equifax was graded a B or an A. BitSight Security Ratings measure an organization’s security performance daily and are based on external information.

BitSight defines its application security risk vector as an analysis of security-related fields in the header section of HTTP request and response messages. With its F rating for the past 60 days, Equifax is ranked in the bottom 10 percent of all companies.

For Patching Cadence, BitSight graded Equifax a D, which is in the bottom 30 percent of all companies. BitSight defines Patching Cadence as an evaluation of how many systems in an organization’s network infrastructure are affected by software vulnerabilities and how quickly the company resolved any issues. According to BitSight’s report, the Patching Cadence history for Equifax had steadily trended worse during the past year.

For its comprehensive score during the past year, which is based on BitSight’s overall relative security effectiveness, Equifax has rated from 800 down to 760. This score has also steadily trended down over the previous 12 months. While BitSight considers a score of 800 to be advanced (the range is 250 to 900), Equifax’s most recent score of 760 is just 20 points above intermediate.

Equifax’s score dropped a handful of points in January, then again in April and once again in July. “An interesting thing about this report is that the score drops one month before the breach,” says a former CISO who has seen the report. “What is so unsettling about Equifax is that they have the money to do good information security, and they have the risk to need to do good information security.”

While Equifax’s overall Security Rating was average for those in financial services, according to BitSight’s analysis, the steady decline in its score this year may have foreshadowed the breach that was to come.

Speculation on the Nature of the Breach

On Sept. 8, the New York Post reported RW Baird & Co analyst Jeffrey Meuler told the paper that the breach leveraged a flaw in the widely used Apache Struts. Apache Struts is a free, open-source, extensive framework used to build enterprise Java web apps.

The Post reported the analyst was told by a representative from Equifax that the Apache flaw was the vulnerability the attackers used to exploit Equifax’s systems and gain entry.

There’s been no other corroboration of the Apache Struts vulnerability claim, and it hasn’t been confirmed by Equifax. But Equifax’s statement blaming it on a web application certainly leaves it open as a possibility. However, if Apache Struts vulnerability was used in the breach, The Apache Software Foundation was not aware as of this weekend. “We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time it is not clear which Struts vulnerability would have been utilized, if any,” René Gielen vice president, Apache Struts, wrote in this blog post.

Equifax Public Disclosure Garners Widespread Criticism

Since news of the breach broke, criticism of Equifax’s handling of the public breach notification has grown intense, from the awkward nature of the announcement to the functioning of its breach response website, www.equifaxsecurity2017.com and the security PINs consumers are receiving from Equifax as they request a credit freeze.

Immediately after the Equifax data breach site was launched, it was flagged as being a potential phishing threat. In other instances, as independent security blogger Brian Krebs reported, breach victims were provided vague and conflicting information. “In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones,” Krebs wrote.

Additionally, ZDNet’s Zack Whittaker reported that Equifax breach website designed to tell consumers if they were breached isn’t validating whether or not the information they provide is legitimate. “The checker, hosted by TrustedID (a subsidiary of Equifax) that millions of users are checking to see if their private information has been stolen doesn’t appear to be properly validating entries. In other words: it is giving out incorrect answers,” he wrote.

If that wasn’t enough reason for many to decide to label Equifax’s breach response as an “omni-shambles” or “dumpster fire,” the news that several insiders sold shares after the breach was discovered, but before the breach would be made public was enough to outrage many more and has many wondering if the sale of Equifax stock was legitimate.

Bloomberg News first reported that three Equifax managers sold stock before the breach was revealed. “Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers,” Anders Melin reported. Later, Equifax stated that the three executives had not been informed of the incident ahead of the sale.

While not unexpected, the bad news kept coming in for Equifax. Late Thursday Bloomberg News covered a proposed class-action lawsuit filed in Portland, Oregon, federal court. According to Bloomberg, “users alleged Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack.”

The bad news didn’t stop there. As Mark Stockley reported at Naked Security, PINs Equifax is providing to customers who want their credit frozen aren’t actually random, but based on a timestamp MMDDyyHHmm of the exact time the customer requested the credit freeze‚ making it from highly likely an attacker would be able to guess one’s PIN.

Breach Recap

For those who don’t already know the details of the breach, exposed Equifax data includes names, Social Security numbers, birth dates and driver’s license numbers, as Lucian Constantin reported in our story, “Equifax Data Breach Hits Half of American Consumers.” According to Constantin’s reporting, the credit card numbers of 209,000 individuals have also been exposed, as well as 182,000 dispute documents, which contain additional personal information.

According to Equifax, the breach happened in mid-May and was discovered July 29. Attackers broke in by exploiting a vulnerability in one of the company’s U.S. websites.

“This is a prime example that attackers are going to be able to get in no matter what steps a company puts in place, and as one of the big three reporting agencies Equifax should know that and be prepared,” Brian Vecci, technical evangelist at data protection firm Varonis, told Constantin. “While we don’t have the details at this point, it’s possible that when the attackers got in through a website exploit they may have been able to escalate privileges and behave like an insider. Few companies monitor access to sensitive files, so when attackers breach the perimeter, they can take whatever they want for weeks or months before anyone notices.”

While the details regarding how this breach occurred, and while it may not be the biggest breach in history, based on the information stolen it will go down as one of the most important.

With additional reporting by Lucian Constantin

*Story Updated to reflect that the BitSight Security Ratings Report was not obtained directly from BitSight Technologies. BitSight does not share their ratings publicly and requested Security Boulevard link to the company’s policy on such matters. That policy is available here.