Equifax twice missed finding Apache Struts vulnerability allowing breach to happen
Equifax twice missed finding Apache Struts vulnerability allowing breach to happen

Former Equifax CEO and Chairman Richard Smith sat before a house committee today where he was taken to task for his actions during the period when his company exposed the personal information of 145.5 million people.

The most eye-opening testimony he gave before the House Energy and Commerce Committee Subcommittee on Digital Commerce and Consumer Protection surrounded the fact that Equifax learned of the Apache Struts vulnerability from U.S. CERT and then twice searched for any issues in its networks coming up empty each time and thus allowing the flaw to remain unpatched in its Consumer Dispute Portal. Smith also claimed to have no knowledge of the total extent of the problem until July 31 when the issue was brought to him by his cybersecurity team.

In Smith's prepared remarks he said U.S. CERT notified Equifax of the problem on March 8 and the following day the news was given to the security team. As per company policy these workers had 48 hours to search for and then patch any problems.

“Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel,” Smith said.

Additional scans were run on March 15 again searching for the Apache Struts vulnerability, but came up empty.

“Equifax's efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax web application much longer than it should have,” he said.

Pravin Kothari, Founder and CEO of CipherCloud, called the CERT notification something that should have triggered an all hands on deck response, but he believes the company's focus was elsewhere and not on cybersecurity.

"A good security process would have identified vulnerable systems within 24 hours and patch must have been applied. But the Equifax process was “weak and broken” because it failed to identify the vulnerable systems. This process is supposed to run every day; not only did they not identify the vulnerability immediately, it went unidentified until they found the breach. It was too late," he told SC Media.

In a bipartisan reaction none of the committee members were satisfied with Smith's comments and raked him over the coals with Rep. Greg Walden, R-Ore., saying it would be hard to pass legislation that would prevent this from happening in the future.

“I don't think we can pass a law that, excuse me for saying this, fixes stupid," said Walden.

It also came out in Smith's testimony that if the Equifax information security team had found the vulnerability in March the entire incident could have been avoided. The recently completed forensic investigation revealed that the hackers did not access any sensitive information until May 13 and that between that date and July 30 the hackers continued to have access to the system exploiting the Apache Struts vulnerability all while Equifax remained in the dark.

The first clue that something was amiss, Smith said, took place on July 29 when the IT staffers noted suspicious activity in the Consumer Dispute Portal. That day the illegal traffic was blocked, but it was again spotted on July 30 when the application was taken offline.

Smith said he was first informed of the problem on July 31 by Equifax's, now former, CIO David Webb, but he claimed at that time he was unaware “that personal identifying information had been stolen, or have any indication of the scope of this attack.”

On August 2 Equifax retained cybersecurity group at the law firm of King & Spalding to handle the investigation and provide legal advice and the company contacted the FBI. By August 11 it was known that the hackers may have accessed a data table containing the costumer personal information, followed by the revelation on August 15 that the information was not only accessed but stolen.

“On August 17, I held a senior leadership team meeting to receive the detailed briefing on the investigation. At that point, the forensic investigation had determined that there were large volumes of consumer data that had been compromised. Learning this information was deeply concerning to me, although the team needed to continue their analysis to understand the scope and specific consumers potentially affected,” Smith testified.

The first member of the company's board of directors was not notified until August 22 and the full board not for another two days. The board met for the first time to discuss the matter on September 1.

Rep. Leonard Lance, R-N.J., asked Smith why he took so long to loop in the board. Smith replied that the situation was fluid and he wanted it to settle down first.

One of the reasons Smith cited for holding off on going public was the fear that once the news broke it would open the company to further cyber intrusions and the need to further harden their systems.

The news was released on September 7.