Credit monitoring company Equifax recently revealed that hackers gained access to names, social security numbers, dates of birth, addresses and driver’s license numbers of 143 million Americans between mid-May and July of this year. Credit card numbers for about 209,000 US consumers were also accessed.
Traced to a vulnerability in a web app framework called Apache Struts CVE-2017-5638, the Equifax breach is the biggest-ever theft of social security numbers, eclipsing the 2015 hack at health insurer Anthem Inc that exposed the personal data of 80 million people.
While it isn’t the biggest data breach in history – Yahoo claims that mantle – it could be the most damaging, because the data stolen is routinely used to verify people’s identity by banks and other institutions.
A patch for Apache Struts, a commonly used open source component used by companies to absorb and process data, was apparently available at the time of the breach.
“We should expect a long tail of incidents and breaches in the months – and potentially years – to come.” Jeff Luszcz, vice president, product management, Flexera
According to Flexera Vulnerability Review 2017, patches were available at the time of disclosure for 81% of the vulnerabilities in 2016. The WannaCry attacks in May also exploited unpatched systems, which hackers can do faster than organisations can patch them up.
“Equifax is probably just the first known victim,” said Jeff Luszcz, vice president of product management at Flexera, which provides tracking for open source components, vulnerability intelligence and tools to simplify remediation.
“Once a case like this hits the news, it ignites the fire in the cybercrime community and hackers start poking around for new opportunities. We should expect a long tail of incidents and breaches in the months – and potentially years – to come, as we still see attacks targeting Heartbleed, a vulnerability more than three years old.”
Offering tips on how organisations can protect themselves, Kasper Lindgaard, senior director of secunia research at Flexera, said: “Patching this type of vulnerability is certainly not as simple as patching a desktop application. When it comes to vulnerabilities affecting the software supply chain, it’s important to align software design and engineering, operational and security requirements.
“This isn’t an easy task. However, the time frames of initial disclosure of the vulnerability and its patch on March 7 – up to two months before the first reported unauthorised access at Equifax, and the further delay of the actual detection of the breach on July 29 – currently indicates that the vulnerability was not handled with the priority that it should have.
“This is a common issue across industries that business leaders need to address rather sooner than later.”
