When Equifax announced at the start of September that it had been a victim of a massive data breach and given the companies unique position of been one of the three major credit unions in the United States, everyone knew heads would roll. This feeling would only be exacerbated when late on Friday, eastern standard time, the company released a press statement detailing the incident and announcing the resignation of both the Chief Information Officer and Chief Security Officer.
The press release also confirmed that potentially the personal information of over 143 million U.S. citizens has been impacted with at least credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. Added to that Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents. Many, if not all, of the above statistics regarding the incident were speculated upon in the media, the press release by Equifax serves as confirmation.
Apache Struts attack vector confirmed
In March of this year, it was announced that the open source software Apache Struts was vulnerable in the sense that an attacker could execute commands on the server via content uploaded to the Jakarta Multipart parser component, used in some Struts applications. The vulnerability, CVE-2017-5638, was declared a Zero Day event as it the vulnerability was seen to be exploited in the wild prior to discovery. The vulnerability was indeed patched and administrators were strongly recommended to patch the vulnerability immediately. The vulnerability was seen as serious enough for the Department of Homeland Security's CERT team to issue an alert. As a result, the vulnerability, in turn, received a fair amount of media coverage.
In the press release issued by Equifax on Friday, it was confirmed that the vulnerability in Apache Struts was the attack vector utilised despite Equifax stating that “Equifax's Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure.” Despite their apparent knowledge of the vulnerability, it can safely be assumed that the vulnerability had not been patched. The excuse of “they forgot” is probably not what investors, shareholders, and importantly customers whose sensitive information has been jeopardized want to hear.
Employees at Equifax, following an internal review, found that the vulnerability had indeed been used to breach the company’s security via the US online dispute portal which was brought offline, patched, and then brought back online. Once the breach was discovered FireEye’s Mandiant division, a company well known for investigating cybersecurity incidents, whom in conjunction with Equifax’s team discovered that the breach started on May 13 and ran through to July 30. In the recent press release, much detail was given to the measures taken the company to support customers potentially affected by the breach, with indent theft being one of the feared consequences for many customers. For many of those affected, they may feel such measures are too little too late. The 23 class action lawsuits are a testament to this feeling.
The Federal Court records show that 23 class action suits have been brought against the credit union, with more to potentially follow. In a separate but telling incident Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Oregon, respectively the chairman and ranking member of the Senate Committee on Finance, sent Equifax detailed questions about the breach on Monday. What started as a hack has escalated into a legal and political quagmire.
The cases which have been brought forward in 14 states within the U.S. detail a variety of legal reasons for bringing the case to court. These reasons include security negligence by Equifax, the delay in alerting the public and concerns about the free credit monitoring service the company has offered consumers. In support of the arguments, many of the cases have noted prior instances of smaller cyber breaches affecting the company occurring in 2013 as well as 2016. These instances resulted in another case been brought to the Californian Federal Court which charged the company that it should have known of the inadequacies surrounding its cybersecurity policies. In the case brought forward in Illinois federal court, central to the plaintiff’s case is the perceived “willful, or at least negligent,” delay in alerting costumers. According to the court papers filed in Illinois it is contended that “consumers were deprived of their opportunity to meaningfully consider and address issues related to the potential fraud, as well as to avail themselves of the remedies available under the FCRA (U.S. Fair Credit Reporting Act) to prevent further dissemination of their private information,”
If Equifax did not look to settle the numerous matters using pre-trial settlements, the legal process could be long, arduous, and most definitely costly. While the thought of expensive and reputation-damaging cases may be keeping some executives awake at night the company issued a statement to investors saying it was too early to guess at the eventual cost incurred by the company. Markets were quick to respond to such uncertainty, uncertainty been not what markets wish to see, with shares in Equifax plummeting from just over $140 a share to $92,98 a share at the time of writing with analysts at Morgan Stanley predicting the value to plummet even further to under $50 a share.
So begins the witch hunt
In the wake of the initial breach, the delay in informing consumers, the beginning of legal proceedings, and the hemorrhaging of the company’s stock value it can be expected to see multiple resignations. While the Chief Information Officer and Chief Security Officer have already resigned in an attempt at appearing accountable, many are calling for the resignation of the company’s CEO Richard Smith who is due to be hauled in front of Congress on Wednesday to answer a few very difficult questions.
While the horizon looks most certainly dim for the company in the immediate future it will not look any brighter anytime soon as the Federal Trade Commission announced that it too will investigate the matter.