Days of Our Stolen Identity: The Equifax Soap Opera
Blog Article Published: 10/26/2017
By Kate Donofrio, Senior Associate, Schellman & Co. The Equifax saga continues like a soap opera, Days of Our Stolen Identity. Every time it appears the Equifax drama is ending, a new report surfaces confirming additional security issues. On Thursday, September 12, NPR reported that Equifax took down their website this time based on an issue with fraudulent Adobe Flash update popups on their site, initially discovered by an independent security analyst, Randy Abrams. Did the latest vulnerability mean Equifax continued with their inadequate information technology and security practices, even after being breached? Or is it an even worse possibility, that their machines were not completely remediated from the original breach? As it turns out, Equifax claimed they were not directly breached again, rather one of their third-party service providers responsible for uploading web content to Equifax site for analytics and monitoring was at fault. According to Equifax, the unnamed third-party service provider uploaded the malicious code to their site. It appears the only thing Equifax has been consistently good at is placing blame and pointing a finger in other directions. Equifax needs to take responsibility after all they hired the service provider, are responsible for validating compliance of their service provider’s actions within their environment, and still hold the overall responsibility of their information. This is a huge lesson for any company who attempts to pass blame to a third-party. For those that have not been keeping track, below demonstrates a rough timeline of the recent Equifax scandal:
- Mid-May 2017 – July 29, 2017: Reported period where Equifax’s systems were breached and data compromised.
- July 29, 2017: Equifax identified the breach internally.
- August 1 and August 2, 2017: Executives dumped $1.78 million worth of Equifax stock: Chief Financial Officer, John Gamble ($946,374); U.S. Information Solutions President, Joseph Loughran ($584,099); and Workforce Solutions President, Rodolfo Ploder ($250,458).
- September 7, 2017: Equifax released a public statement about the breach of over 145 million U.S. consumers’ information, 209,000 credit cards, and other breaches of non-US citizen information.
- September 12, 2017: Alex Holden, founder of Milwaukee, Wisconsin-based Hold Security LLC, contacted noted cybersecurity reporter, Brian Krebs, on a discovered security flaw within Equifax’s publicly available employee portal in Argentina. The Equifax portal had an active administrative user with the User ID “admin” and the password set to “admin.” For those of you who may be unaware, the admin/admin username and password combination is regularly used as a vendor default, and often a combination tried by users to break into systems. The administrative access allowed maintenance of users within the portal, including the ability to show employee passwords in clear-text. 
- September 14, 2017: On his blog, Krebs on Security, Brian Krebs posted an article referencing a non-public announcement Visa and MasterCard sent to banks, which stated that the “window of exposure for the [Equifax] breach was actually November 10, 2016 through July 6, 2017.” (Note: Equifax still claims the breach was one big download of data in Mid-May 2017, and that the November dates were merely transaction dates.)
- September 15, 2017: Visa and MasterCard updated the breach notification to include social security numbers and addresses.  They found that the breach occurred on the Equifax’s site where people signed up for credit monitoring.
- September 15, 2017: Equifax Chief Information Officer, David Webb, and Chief Security Officer, Susan Mauldin retired, effective immediately.
- September 19, 2017: Equifax admitted they tweeted out a bogus website address at least seven times; for instance, promoting “securityequifax2017.com” instead of the correct site, “equifaxsecurity2017.com,” and thus sent customers to the wrong site. Software engineer Nick Sweeting took the opportunity to teach Equifax a lesson and created an identical site at the incorrect “securityequifax2017.com” with a scathing indictment banner at the top of the page: "Why did Equifax use a domain that's so easily impersonated by phishing sites?"
- September 29, 2017: CEO, Richard F. Smith stepped down, though he was expected to walk away with roughly $90 million.
- September 29, 2017: Astonishingly, the Internal Revenue Service (IRS) awarded Equifax a sole source contract (not publicly bid) for roughly $7.25 million to perform identity verifications for taxpayers. Just in case you were not lucky enough to be a part of the recent Equifax breach, the IRS is giving you another “opportunity.”
- October 3, 2017: During testimony with House Energy and Commerce Committee, former Equifax CEO, Richard F. Smith, blamed one person in his IT department for not patching the Apache Struts vulnerability and for the entire breach.
- October 10, 2017: Krebs on Security reported the number of UK Residents hacked was 693,665, not the initial 400,000 disclosed.
- October 12, 2017: Malicious Adobe Flash code was found on Equifax’s website. Equifax blamed a third-party service provider for feeding the information to the site.
- October 12, 2017: IRS temporarily suspended Equifax’s contract over additional security concerns.
Share this content on your favorite social network today!