The Equifax Hack: 6 Months Later, What Did We Learn?

When news broke that credit rating agency Equifax had been breached, resulting in the theft of personally identifiable information (PII) records, it seemed like the company was yet another victim in a long line of organizations to have been successfully targeted by hackers.

However, this case was different than the others. We soon learned that this was the largest single breach in history, with an initial 143 million records being reported, a number that later grew to over 145.9 million as more details were uncovered later down the line.

For those who follow breaches — how they occur and the responses to them — Equifax was a perfect storm where everything that could go wrong did, all with fantastically catastrophic results for all involved.

In the time since the breach was announced back in September 2017, a lot of pixels have been discolored describing the events, piecing together a timeline for us and painting a picture of how chaotic this has been.


The Timeline

According to the SANS Institute, a leading publisher in the security space, the U.S. CERT disclosed the vulnerability in Apache Struts2 on March 10, 2017. It was at this time that the CVE was posted to the National Vulnerability Database (NVD).

Apparently working around the clock, the good folks over at the Apache Foundation were able to release a security update that worked as a patch for the vulnerability already on 19 March, barely over a week later.

Nearly two months later, according Equifax’s own statements, the company believed that the compromised records were first accessed by the hackers on May 13, 2017. This means that they were left unprotected for just under two whole months after the patch had become available, giving the attackers a very wide open window to carry (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Blog – WhiteSource. Read the original post at: