Equifax has been breached.
On Thursday Equifax, one of the big-three US credit bureaus, disclosed a major data breach. It affects 143 million individuals, mostly Americans, although data belonging to citizens of other countries, for the most part Canada and the United Kingdom, were also hit (Ars Technica).
It's known the data were stolen, not just exposed: Equifax disclosed it had detected unauthorized access. So this isn't simply a case of potential compromise of data inadvertently exposed on the Web. Someone came in and took it.
Among the information lost are names, Social Security Account Numbers, dates of birth, and addresses. Large subsets of the affected individuals also lost credit card numbers, dispute documents (which you might file if you wished to correct something in your credit record), and driver's license numbers (KrebsOnSecurity). It's unclear how many of those data were encrypted.
You'd say that seems like about everything, but Equifax would differ—the company says in its statement that its core credit record databases were uncompromised. Those are records of things like late payments, bad debts, and so on. Most observers have found that cold comfort at best—the data lost are more than sufficient to commit all manner of fraud and identity theft (Help Net Security).
Equifax is also offering their identity protection and credit monitoring services free to affected individuals (more on this below). Why affected individuals would sign up for such monitoring is unclear. Many journalists and security experts have looked into the proffered service and found it dodgy, hard-to-use, generally insecure, and probably an opportunity to be hit up for a paid renewal when the free offer expires (Bleeping Computer).
Equifax breach: how it happened.
How the breach occurred remains publicly unknown, and Equifax has been close-mouthed about the details. But there's considerable speculation online that the hackers exploited a patchable but unpatched flaw in Equifax's website. The company says it noticed the breach on July 29th, and that it's called in a security company (reported to be FireEye's Mandiant unit) to help with remediation.
Early reports indicate that the hackers exploited an Apache Struts vulnerability (Quartz). Which vulnerability may have been exploited remains unclear (Markets Insider). There's early speculation in social media that Russian intelligence services are behind the hack, but this is as much a rounding up of the usual suspects as anything else. On a priori grounds one can see how intelligence services would be interested in this quantity of personal information (as the Chinese services were interested in the data held by the US Office of Personnel Management) but there is an active criminal market operating here as well. It's far too soon to tell (but it's worth noting that companies would rather be able to attribute their sufferings to spies than to crooks).
However the breach occurred, it's calling into question the continuing use of Social Security Account Numbers for either identification or authentication (Motherboard).
Equifax breach: exploitation of the stolen data.
Further exploitation may already be in progress. There are credible reports that an extortion threat has been made in the dark web, presumably to Equifax, threatening to dump stolen credit card numbers if a 600 Bitcoin ransom (about $2.6 million) isn't paid by September 15th (Surfwatch Labs). There are also reports of a spike in credit card fraud (New York Post). That spike is likely to be large and enduring, given the scale of the breach.
Equifax breach: public reaction.
Equifax has been getting clobbered in public opinion. The company's response has struck most as tone-deaf. In most large-scale cyber incidents, there are varying degrees of sympathy for the victim and an acknowledgment of the victim's difficulties. Not so here. The Twitterstorm over the incident is massive and utterly unsympathetic. A great deal of this is Schadenfreude from those who have found themselves at some point in their lives caught up in the iron web of credit evaluation. More comes from security experts who are aghast at the apparent degree of carelessness with which personal data were handled. (Forbes points out that Equifax had had problems with data security before.) And no one appears to think that a forty-one-day delay between discovery and disclosure is acceptable (Business Insider).
It will be difficult for the credit-rating industry as a whole to continue in its present form. One representative tweet can stand for the others: "If @Equifax survives this catastrophe then there is obviously no moral hazard in the US data economy after all." (Actually tremendous moral hazard, but the tweeter's meaning is as clear as 111 characters can make it: data holders and data handlers would in that case appear to have no serious incentive to avoid risky practices with respect to protecting information.)
Equifax breach: lessons for incident response.
One would expect as much when a credit bureau was undergoing misfortune that's partly explicable in terms of things it might have done otherwise. Rather than pile on, it might be better to consider their experience from an after-action point-of-review. There will be as many if not more lessons to be learned from this episode as a case study in incident response as there will from the forensic post mortem itself.
As many other companies in breach trouble have done, Equifax has brought in Mandiant to mop up its systems (ZDNet). But Equifax has fumbled its response on at least three points. First, the delay in disclosure seems unconscionably long—forty-one days. There would have to be some time between discovery and disclosure if only to be sure one had attained some realistic understanding of what happened, but to take more than a month argues a lack of preparation. Yahoo!'s breaches took longer to come out, but that's been the exception rather than the rule, and Yahoo! was also experiencing a significant internal failure to communicate.
Second, the public relations appear to have been very poorly handled (a "dumpster fire," as KrebsOnSecurity called it) and it's worth recalling that public relations are a real and important part of any incident response plan. The offer of free credit monitoring (to be conducted by Equifax's own service) struck many observers as insultingly inadequate, with further insult added by the company's poorly-executed website telling people who sought to apply for free monitoring to come back on September 13th (Motherboard). (Also see the comments section of the FTC's online advice to consumers for a taste of what visitors have encountered.)
It gets worse—the agreement Equifax required consumers to enter upon receiving their free monitoring included a clause committing them to submit any claims against Equifax to arbitration, an attempt to limit the size if not the inevitability of class action suits (Bloomberg). That last clause has now been removed, but the delayed and clumsy response brings out, again, the importance of planning for incident response. It also highlights the importance of exercising and testing such plans, and of drawing and applying lessons learned from those exercises. It's difficult to believe a well-crafted plan would have permitted a forty-one day gap between discovery and disclosure.
Finally, at least three senior Equifax executives are known to have sold stock in the company worth about $1.8 million on August 1st, 2017, three days after the breach was discovered and more than a between the time the breach was detected and the time it was disclosed. Equifax told Bloomberg that none of the three—they included the CFO—knew about the breach when they sold, and that anyway they didn't sell all the shares they owned. So the company claims this wasn't a case of the C-suite pulling the ripcord on a golden parachute. "Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans" (Bloomberg).
Those who doubt that executives could have been unaware of the incident at the time they sold stock point to Equifax's claim that its board was promptly informed of the breach. If that's the case, that the CFO would have remained in the dark for three days strikes observers as too curious to be believed (MarketWatch).
So claims of ignorance have been met with widespread incredulity, but that may be unfair. What does seem fair to say is that Equifax faces a dilemma: either the executives sold on material non-public knowledge in illegitimate insider trading, or the executives weren't involved in responding to the breach until much later than they should have been. Given the poor quality of the response, the smart money would grasp the second horn of the dilemma. But neither horn offers a comfortable grip.
Equifax breach: impact on the company (and others).
Equifax (NYSE:EFX) shares Friday closed down 13.66% (Google Finance). That's bad, but it's also not a Wall Street death sentence. (Seeking Alpha even calls it "much ado about nothing.") Equifax competitors TransUnion and Experian have also taken a hit to their share prices (Times of India).It's worth pointing out that it's not necessarily the company's customers who are being hurt. It's the consumers those customers are paying Equifax to rate who are now facing the prospect of fraud, damage to credit, and identity theft. The US Federal Trade Commission (FTC) has posted some quick advice to consumers about how they might begin to protect themselves.
The company's regulatory risk and exposure to litigation will bear watching. The FTC and the US Securities and Exchange Commission (SEC) are likely to take a close interest in the incident, as are a variety of State regulatory bodies and Attorneys General (CNN). The plaintiff's bar is of course already preparing its cases (TechCrunch, PRNewswire). A report from Baird Equities Research offers an early overview of the incident's likely effect on Equifax.
Executive-suite casualties of hacking.
NotPetya and WannaCry continue to twist affected businesses. Reckitt Benckiser's Senior Vice President of Information Services, Darrell Stein, will leave the company on October 1st. His departure is viewed as atonement for the company's NotPetya infestation (Computing).
WikiLeaks dumps more from Vault7.
As usual, WikiLeaks offered another dump from Vault7 on Thursday, September 7th, 2017. This release involved no cyber tools, but instead offered apparently classified information about a missile control system, "Project Protego" (Security Affairs).
Two things are worth remarking on the dump. First, the classification level of the leaks appears to be dropping—no juicy, highly compartmented stuff here, but rather some banal system information that would surprise few aerospace buffs.
And second, WikiLeaks had adopted a kind of tribune-of-the-people stance with its earlier dumps of alleged hacking tools and spyware: see how we take your side against the overweening surveillance of the Deep State, and so on. But that fig leaf seems to have dropped, at least this time. A combat system is tough to cover with a cache-sexe of high-minded civil libertarian concern.
Where WikiLeaks is getting the contents of Vault7 remains unknown, at least publicly.
If you paying, the ShadowBrokers playing (as they put it).
And the ShadowBrokers are back, too. This time they have an announcement: they now plan to move from one exploit dump per month to two of them. The twofer offer gamely maintains the Brokers' pose of selling stuff to make some coin at the Equation Group's expense. They're in it for the money, don't you see? As they say, "If you be paying, the ShadowBrokers be playing!" There's general doubt that many people are paying.
What will appear in September is unknown, and you would have to be paying to be playing. But the Brokers released teaser about last month's dump, a manual purporting to describe an alleged Equation Group tool, "UNITEDRAKE." There's been talk of such a tool offering a means of controlling Windows machines since Snowden mentioned it to the Intercept in 2014 (Security Week).
Notes on intelligence policy.
The annual Intelligence and National Security Summit, sponsored jointly by INSA and AFCEA, concluded yesterday in Washington, DC. You'll find our continuing coverage of the Summit on our Website, theCyberWire dot com. We will mention three themes that came across very clearly to us at the conference (the CyberWire).
First, the US Intelligence Community and its stakeholders find themselves in general agreement that a new approach to talent management is necessary, that what Marine Corps Major General Groen, of the Joint Staff's J2, called an "industrial age" approach to the workforce is no longer adequate to current realities. And it's likely to grow even less adequate over time. People with essential expertise—both linguists and cybersecurity professionals were repeatedly singled out for mention—need to have career paths designed that will challenge, develop, and retain them.And there was as close to complete and universal agreement as we've ever seen that one aspect of the legacy approach to talent management, the security clearance process, is irretrievably broken. How it could be fixed remains unclear, but fixed it must be, senior Intelligence Community leaders agreed. They advocated in a general way two lines of reform that might be pursued: moving away from the current practice of regular re-examinations in favor of some form of continuous evaluation, and moving toward a serious risk management approach to personnel security.
Second, the US intelligence executives who spoke were unanimous in their support of Section 702 reauthorization. This section of the Foreign Intelligence Surveillance Act authorizes the Intelligence Community to target the communications of non-U.S. persons located outside the United States for foreign intelligence purposes. They thought that without Section 702 authority, their ability to accomplish their mission would, given current global communication realities, essentially vanish. All were at pains to stress the multiple layers of oversight designed to shield US citizens' privacy from 702 surveillance. Representative Shiff and Senator Warner, ranking members respectively of the House and Senate Intelligence Committees, both said in their remarks that they thought Congressional reauthorization of Section 702 was likely.
And the third point was obvious on reflection, although it could easily have been lost by the routine way in which it was treated. All intelligence is now, effectively, cyber intelligence. None of the traditional intelligence disciplines, not even IMINT—imagery intelligence, mostly photos taken from aircraft or satellites—or HUMINT—human intelligence, the traditional spycraft of recruiting and running agents, among other practices, are conducted entirely outside of cyberspace any longer.
An artificial intelligence arms race is on.
President Putin effectively declared the start of an artificial intelligence arms race this week, but it's been clear for some time that this was on (WIRED). The US Intelligence Community is certainly chasing AI (FCW).
Scam-spotting.
Look to Hurricane Harvey for some unhappy but important lessons learned (Think Advisor) and don't hesitate to apply them to the bogus mendicants who will turn up in the wake of Hurricane Irma, and of every other tragedy that strikes.