Days of Our Stolen Identity: The Equifax Soap Opera
By Kate Donofrio, Senior Associate, Schellman & Co.
The Equifax saga continues like a soap opera, Days of Our Stolen Identity. Every time it appears the Equifax drama is ending, a new report surfaces confirming additional security issues.
On Thursday, September 12, NPR reported that Equifax took down their website this time based on an issue with fraudulent Adobe Flash update popups on their site, initially discovered by an independent security analyst, Randy Abrams. Did the latest vulnerability mean Equifax continued with their inadequate information technology and security practices, even after being breached? Or is it an even worse possibility, that their machines were not completely remediated from the original breach?
As it turns out, Equifax claimed they were not directly breached again, rather one of their third-party service providers responsible for uploading web content to Equifax site for analytics and monitoring was at fault. According to Equifax, the unnamed third-party service provider uploaded the malicious code to their site. It appears the only thing Equifax has been consistently good at is placing blame and pointing a finger in other directions.
Equifax needs to take responsibility after all they hired the service provider, are responsible for validating compliance of their service provider’s actions within their environment, and still hold the overall responsibility of their information. This is a huge lesson for any company who attempts to pass blame to a third-party.
For those that have not been keeping track, below demonstrates a rough timeline of the recent Equifax scandal:
- Mid-May 2017 – July 29, 2017: Reported period where Equifax’s systems were breached and data compromised.
- July 29, 2017: Equifax identified the breach internally.
- August 1 and August 2, 2017: Executives dumped $1.78 million worth of Equifax stock: Chief Financial Officer, John Gamble ($946,374); U.S. Information Solutions President, Joseph Loughran ($584,099); and Workforce Solutions President, Rodolfo Ploder ($250,458).
- September 7, 2017: Equifax released a public statement about the breach of over 145 million U.S. consumers’ information, 209,000 credit cards, and other breaches of non-US citizen information.
- September 12, 2017: Alex Holden, founder of Milwaukee, Wisconsin-based Hold Security LLC, contacted noted cybersecurity reporter, Brian Krebs, on a discovered security flaw within Equifax’s publicly available employee portal in Argentina. The Equifax portal had an active administrative user with the User ID “admin” and the password set to “admin.” For those of you who may be unaware, the admin/admin username and password combination is regularly used as a vendor default, and often a combination tried by users to break into systems. The administrative access allowed maintenance of users within the portal, including the ability to show employee passwords in clear-text. 
- September 14, 2017: On his blog, Krebs on Security, Brian Krebs posted an article referencing a non-public announcement Visa and MasterCard sent to banks, which stated that the “window of exposure for the [Equifax] breach was actually November 10, 2016 through July 6, 2017.” (Note: Equifax still claims the breach was one big download of data in Mid-May 2017, and that the November dates were merely transaction dates.)
- September 15, 2017: Visa and MasterCard updated the breach notification to include social security numbers and addresses.  They found that the breach occurred on the Equifax’s site where people signed up for credit monitoring.
- September 15, 2017: Equifax Chief Information Officer, David Webb, and Chief Security Officer, Susan Mauldin retired, effective immediately.
- September 19, 2017: Equifax admitted they tweeted out a bogus website address at least seven times; for instance, promoting “securityequifax2017.com” instead of the correct site, “equifaxsecurity2017.com,” and thus sent customers to the wrong site. Software engineer Nick Sweeting took the opportunity to teach Equifax a lesson and created an identical site at the incorrect “securityequifax2017.com” with a scathing indictment banner at the top of the page: "Why did Equifax use a domain that's so easily impersonated by phishing sites?"
- September 29, 2017: CEO, Richard F. Smith stepped down, though he was expected to walk away with roughly $90 million.
- September 29, 2017: Astonishingly, the Internal Revenue Service (IRS) awarded Equifax a sole source contract (not publicly bid) for roughly $7.25 million to perform identity verifications for taxpayers. Just in case you were not lucky enough to be a part of the recent Equifax breach, the IRS is giving you another “opportunity.”
- October 3, 2017: During testimony with House Energy and Commerce Committee, former Equifax CEO, Richard F. Smith, blamed one person in his IT department for not patching the Apache Struts vulnerability and for the entire breach.
- October 10, 2017: Krebs on Security reported the number of UK Residents hacked was 693,665, not the initial 400,000 disclosed.
- October 12, 2017: Malicious Adobe Flash code was found on Equifax’s website. Equifax blamed a third-party service provider for feeding the information to the site.
- October 12, 2017: IRS temporarily suspended Equifax’s contract over additional security concerns.
This is not the first time Equifax has been involved in a breach of customer information. On September 8, 2017, Forbes released an article detailing prior breaches, including one in May 2016 that leaked personal information of 430,000 records of grocer Kroger’s employeesfrom an Equifax site that provided employees with W2 information. That breach was attributed to attackers determining PIN numbers utilized for site access to break into accounts and steal information. PIN numbers consisted of the last four digits of an employee’s social security number and their four-digit birth year.
More information keeps surfacing as Equifax continues to simultaneously be scrutinized for their every move and targeted by security personnel and hackers alike. A huge question remains how a company managing the information of so many people, who was certified compliant under several different certifications, including PCI DSS, SOC 2 Type II, FISMA, ISO/IEC 27001:2013 to name a few, could be so negligent.
From my experience, there are a lot of large corporations out there with the mentality that they are just too big to fail or to comply one-hundred percent. I have heard echoing of this mantra repeatedly over the years, and every time, it makes you want to scream “you are too big not to comply!”
However, history has proven, a lot of these big corporations are in fact too big to fail. Sure, Equifax is going to be continuously under scrutiny, fined, sued, and have their name dragged through the mud. However, at the end of the day, they will still be managing the information for millions of people, not just Americans, and business will continue as usual. They will be the butt of jokes and the subject of discussion for a while, but then the stories will start to fall behind other major headlines and soon all will be forgotten.
The reality is the Equifax saga is nothing new to consumers, and Equifax joins the likes of Target, Home Depot, Citibank, and many other companies who had their name plastered within headlines for major data breaches.
The compromises made some consumers think twice about using these companies, or using a credit card at their locations, but time moves on and eventually convenience always beats security. Each of the companies compromised took a financial hit at the time, but years later they are still chugging away, some with record profits. Sure, the damage made them reorganize and rethink security going forward, but why is it that consumers must suffer first before these large companies take steps to protect them? While millions of consumers could be facing identity theft or financial compromise due to the Equifax breach, Equifax's executives cashed out large amounts of stock, took their resignation, and will move on to the next company or retire off their riches.
What is the big picture here? Is it true what Equifax's ex-CEO said on the stand, that one member of their information security team caused this huge compromise of data? Of course not, and by the way it was ludicrous for a CEO to place blame on one member of their IT staff. The truth is companies attempt to juggle their personal profit with the company’s security. Let’s be honest, most of the time information security spends revenue without a return. The only time a return is realized is when a company mitigates a breach and that information is not often relayed across an organization.
The damages incurred by consumers and even other businesses due to data breaches far outweigh the penalties the negligent companies face. The Federal Trade Commission claims that recovering from an identity breach averages six months and 200 hours of work. If only 10% of those involved in the Equifax breach have their identities compromised, using average U.S. hourly earnings, that would equate to roughly $77 billion in potential costs to the American people (14,500,000 people * 200 hours * $26.55 = ~$77 billion). These are just averages and there are horror stories detailing people fighting for years to clear up their identity.
Overall, there needs to be more accountability and transparency in what these corporations are doing with consumer data. Most of these companies are going through endless audits covering different regulations and compliances, yet it does not seem to matter, as breaches continue to rise in number.
As other countries are progressively moving forward with reforms for the protection of personal information of their residents, such as the European Union’s General Data Protection Regulation (GDPR), the US continues to blindly stumble along, refusing to take a serious look at these issues. The amount of money these companies are profiting off the data they collect is ridiculous, and when they have a breach, the fines and other punishments are a joke.
It’s time for things to change, as no company should be able to just say, “whoops, sorry about that” after a breach and move on.