Equifax breach: Catastrophic, but no game changer yet

Equifax breach: Catastrophic, but no game changer yet

This article was originally published in Forbes.

I hate to say I told you so…well, actually, like most people, I love to say I told you so. I’m just willing to admit it.

Because the state of software security a year after the catastrophic data breach of Equifax became public, basically confirms what I wrote last October: It would generate lots of sound and fury, but wouldn’t signify any game-changing improvements.

Actually, the breach occurred 16 months ago, and Equifax—one of the “big three” credit reporting agencies—discovered it in late July. It just didn’t acknowledge it publicly until Sept. 7—hence a flurry of “anniversary” stories last week.

The breach compromised crucial personal data of more than 147 million people—the Social Security numbers of nearly all of them, plus name, address, birthdate, gender, driver’s license and phone number of fewer of them, but still in the dozens of millions.

A month after that, Congressional committees were taking turns beating up on deposed Equifax CEO Richard Smith. You might remember US Rep. Joe Barton (R-TX) suggesting that Smith might have, “paid a little more attention if you had to pay everybody whose account got hacked a couple thousand bucks or something.”

Sen. Elizabeth Warren (D-Mass.) declared that, “senior executives like you should be held personally accountable.”

And you might recall Judiciary Committee Chairman Chuck Grassley’s (R-Iowa) declaration that it was “long past time” to create federal standards for how companies like Equifax secure their data.

Which would mean it is now almost a year past “long past time.”

There were even congressional promises to create a national breach notification law governing how and how quickly companies must notify anybody whose personal information is stolen in a breach. That would have overridden the current jumble of state laws on the issue.

But it was mostly theater—which is mostly what committee hearings are. Since then, any legislative initiatives have stalled and there have been no government sanctions on the company or its leaders.

Indeed, Smith told committee members that Equifax considers its customers to be banks and other businesses—not the consumers who are required to hand over their PII (personally identifiable information) if they want to get a loan.

And, as has been clear for decades, banks and other businesses tend to have much more sway with government than consumers.

So, I wrote last fall, “Chances are that a year from now, the world of data security will perhaps have been tweaked, but not fundamentally changed. Congress will have moved on to some other outrage. And 145.5 million people will definitely not have each received a $2,000 check from Equifax.”

Some other outrage? Check. Can we all say “Cambridge Analytica” or (Supreme Court nominee) “Brett Kavanaugh”?

No government sanctions on Equifax in general, or any of its executives? Check. By February, there were multiple reports that an investigation of the company by the Consumer Financial Protection Bureau (CFPB) had stalled—it wasn’t doing any of the things that would be expected, such as issuing subpoenas to top management.

The CFPB disputed that, saying the investigation was ongoing, but if it is, there doesn’t appear to be much urgency to it.

Same, apparently, for the Federal Trade Commission (FTC), which said a year ago that it had opened an investigation into the breach (it is highly unusual for the commission to acknowledge an investigation), but there haven’t been any announcements since then.

An FTC spokesperson, Juliana Gruenwald Henderson, said this week the agency had “no additional comment at this time.”

And, as the Atlanta Journal-Constitution (where Equifax is headquartered) noted, “The agency has since named as chief of its consumer protection division a lawyer who has represented Equifax.”

Yes, there have been lawsuits, charges of insider trading against two top executives, and some in top management besides Smith are no longer there. The new chief information security officer, Jamil Farshchi, told Wired magazine in July that the company has invested $200 million on data security infrastructure.

Which is a lot of money at one level, but only 1.4% of the net worth of a $13.8 billion company.

Meanwhile, Smith “retired” with a $90 million payday. And there has been nothing punitive from allegedly outraged government officials.

Even though this was a breach vastly more damaging than compromised credit cards, since those numbers can easily be changed. One sardonic tweet at the time declared that everybody should immediately change their name, date of birth, address, gender and Social Security number.

And even though it should surprise nobody that the Identity Theft Resource Center is out with a report this week that says the main impact is on consumers—that besides feeling angry and violated, they feel “fear…worry, anxiety…annoyance, frustration, powerlessness and helplessness” about the risks of identity theft and their finances being looted.

Finally, what about the world of data security? There are always ongoing tweaks, but Equifax was not a game changer.

Indeed, that breach happened because the company had failed to install a patch that had been available for two months, for a vulnerability in Apache Struts, a popular open source web software. A year later, numerous companies have failed to patch that same bug.

“I’d love to say that Equifax was a turning point in application security,” said Tim Mackey, technical evangelist at Black Duck by Synopsys, “but the 2018 OSSRA (Open Source Security and Risk Analysis) report showed that of the analyzed code bases containing Apache Struts, a third of them still contained a version vulnerable to the same bug that impacted Equifax.

“It’s fair to conclude that a lack of awareness of precisely what’s in a given software application and its ‘stack’ is part of the problem,” he added. “Put another way—you can’t patch what you don’t know you’re running.”

True enough. And if there is anything encouraging about all this, it is that there continue to be major advances in software security—tools that can help any organization know what it’s running, and then find and fix the bugs that put them at risk.

But you have to use them. And in the case of Equifax and numerous other firms, they aren’t even installing patches that are, in effect, handed to them.

It doesn’t cost anywhere near $200 million to do that.

What future catastrophic data breaches are hiding in your code?

Find out.

*** This is a Security Bloggers Network syndicated blog from Software Integrity authored by Taylor Armerding. Read the original post at: