Equifax Breach Finger-pointing: Apache Open Source to Blame?
Equifax CEO Richard Smith says the credit reporting company will make changes after suffering massive (143 million people potentially affected) security breach. But the company didn’t help its case by blaming an Apache software flaw for the leak, the New York Post reported.
“My understanding is the breach was perpetuated via the Apache STRUTS flaw,” Jeffrey Meuler, an analyst at Robert W. Baird, who was briefed by Equifax, told the Post. About 65 percent of Fortune 100 companies reportedly use the STRUTS open source software platform, including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot and Showtime.
According to Rui Lopes, manager at Panda Security, the source of the hack may have been around for at least nine years.
“From an IT Security perspective, this means users and system admins in companies need to be assuming the data assets they want to protect have already been compromised — yesterday. Working from the perspective of future compromise means more and more falling one step behind,” Lopes said in an email to MSSP Alert.
The Highlights (And Lowlights) So Far
Beyond Equifax covering its tracks and the continuing assessments by security experts of the breach’s astronomically destructive potential, the legal maneuvering has begun to take root.
Here’s the latest on the legal front:
- New York State Attorney General Eric Schneiderman told WIBX in New York that he’s opened a formal investigation into the incident.
- Senators Orrin Hatch, (R-Utah), chairman of the Finance Committee, and Ron Wyden, its ranking Democrat (OR), in a letter to Equifax listed 13 questions they want answered, including the nature of exposed data, how the hack was found and the company’s plans to bolster its security, the Washington Post reported.
- Rep. Greg Walden, who chairs the Energy and Commerce Committee, told Reuters that his committee will hold a hearing to investigate the breach.
- Attorneys General from Connecticut and Illinois and Pennsylvania have together launched an inquiry into the data breach. At least five state AGs are investigating, the Post reported.
- Two class action lawsuits have been filed. As of Monday, Sept. 11, more than 30 lawsuits have been filed in the U.S. against Equifax, Reuters reported separately. At least 25 lawsuits had been filed in federal courts by Sunday, including one charging the company of securities fraud with several more cases filed on Monday, the report said, citing court records. It’s likely that many of those with similar claims will be combined into one nationwide case, according to the report.
No Cause for Panic (Yet)
Last week, Equifax said the unauthorized access occurred from mid-May through July 2017. So far, there’s been no evidence of activity you’d expect with a personal credentials hack on either Equifax’s consumer or commercial credit reporting databases, the company says. Security experts, however, are saying nearly in unison ‘just wait, it’s coming.’
Equifax reported the breach some six weeks after first finding it and has yet to explain the delay. The company collects personal and financial data on 820 million consumers worldwide. Equifax also said the security breach affected some U.K. and Canadian residents.