How a large corporation lost millions of data sets to hackers

Sven Krumrey

Let me start off by apologizing. As mentioned before, we're in the process of relocating to new headquarters and, consequently, a few things have fallen by the wayside, including the server who sends out nice notifications for new blog articles once a week. So in case you didn't receive any notifications for the past two weeks, please see the links at the bottom to access the previous two articles. The most recent entry also gave rise to this week's article that deals with the question of where the leaked email addresses and passwords have come from. As a case in point, I'll cover the momentous and well-documented Equifax hack that has achieved legendary status by now. Seldom has there been another case where highly sensitive information met with utter management failure!

A company that has a lot of explaining to do

To begin with: Who are Equifax? Equifax is the largest consumer credit reporting agency in the US. For many non-trivial investments that require proof of solvency, Equifax provides extensive details on credit cards, addresses, driving licenses and more. The company sells this, no doubt, delicate information to businesses, money lenders, employers and landlords. In May 2017, Equifax were hacked - and good and proper. The company had been using Apache Struts, for which security vulnerabilities (based on SQL injection and insecure direct object reference) had surfaced in March of the same year. The vulnerabilities would enable attackers to gain full access to the affected systems. Warnings had been issued by security companies and updates had been quickly provided. But Equifax had taken too long and had failed to roll them out across all of theirs servers, remaining a low-hanging fruit for hackers. The latter then scanned the web for potential targets and, once inside, took their sweet time snooping around Equifax's servers.

Not only did they find data on over 145 million US customers, and a non-disclosed number of Canadian and British citizens, but 145.5 million data sets came with their holders' social security numbers, rendering them easily identifiable. Over 200,000 credit cards and 99,000 current addresses, and other details, fell into the wrong hands. It was a veritable worst case data security breach - and not the first of its kind for Equifax whose systems had already been compromised in March 2017, but without public disclosure or proper security audits thereafter. Equifax's Argentinian servers had equally "well" been hardened, using admin as both user name and password, to the huge surprise of one wannabe hacker. It's enough to make you cry!

Only some of the data lost to hackers

As public interest in the hack soared, the authorities sprung into action and quickly realized Equifax had made a botch of things on all fronts. Employees had been made aware of the vulnerability via email - but the list of recipients had been outdated. Of all things, the admin hadn't gotten the mail! There had been an in-house server analysis for potential attack vectors conducted, but it had only included root folders and had ignored the many subdirectories! In addition, Equifax had not only not segmented their databases into smaller parts but had stored user names and passwords in plain text (unencrypted) on a network storage device. Once accessed, users, and intruders, were able to happily access anything and everything, including customer data sets that, naturally, had also been left unencrypted.

The outflow of data went largely unnoticed, because, unlike Equifax, the hackers used encryption, making it impossible for Equifax's intrusion detection system to analyze the data streams, since the system's certificate to decrypt said data had expired more than a year ago. So the data flow continued unfetteredly - for 76 days! On top, the company's organizational structure had "historically grown", which is another way of saying it was bordering on mild chaos. This resulted in a lack of dedicated database administrators. Equifax had happily acquired 18 companies, including their network infrastructure, but had failed to develop an overarching IT policy. All of the aforementioned issues had been known since 2015 and there had been a warning issued against the potential hack by Morgan Stanley Capital International, who awarded Equifax 0 out of 10 points for lack of security in one of their reviews, but the company had kept on muddling along - to the now known disastrous effects.

Data security comprises many aspects - if you take the matter seriously Data security comprises many aspects - if you take the matter seriously

Are you still here? Do you still have hair? My hat goes off to you for not having torn it out in light of the, pardon my French, shitshow Equifax delivered! But wait, it gets better. 8,780 companies have downloaded and installed the old vulnerable software after the hack became public. Whoever has been or, god forbid, still is running IT security there should spend at least two days with a ridiculously looking dunce's cap for all the world to see. So far, seven big tech companies have been identified running servers with insecure software. As a home user who painstakingly takes care of software updates, passwords and security matters, all this makes you shake your head in disbelief.

So far, so aggravating. But guess what followed? Absolutely nothing! To this day, the stolen data has not surfaced anywhere on the web, including the dark web. There have been numerous attempts made to retrieve the data through middlemen affiliated with the hacking scene, all to no avail. To this date, no cases of data misuse have been reported. Experts believe the hackers involved either realized the gravitas of the situation and dare not use / sell the date for fear of punishment or the hack was instigated by intelligence agencies with no immediate application, as the data could be used to many ends including identity theft or coercion. Perhaps, we'll never know how this spectacular case will end.

What I would like to know: Would you have thought the extent of gross negligence outlined in this article possible? Will you now take even better care of your data and share it only sparingly?

The lost blogs:
Unruly spirits: internet mobs
2.2 billion email addresses and passwords leaked - are you affected?
Back to overview

Write comment

Please log in to comment