Security Experts:

Connect with us

Hi, what are you looking for?



Equifax Cybersecurity Failings Revealed Following Breach

Shortcomings revealed by researchers and cybersecurity firms following the massive data breach suffered by Equifax show that a successful hacker attack on the credit reporting agency’s systems was inevitable.

Shortcomings revealed by researchers and cybersecurity firms following the massive data breach suffered by Equifax show that a successful hacker attack on the credit reporting agency’s systems was inevitable.

Some members of the industry pointed out last week that the company’s Chief Security Officer (CSO) Susan Mauldin was a music major with no educational background in cybersecurity or technology. Mauldin and Chief Information Officer David Webb retired from the company on Friday.

Others dug up old vulnerability reports that the firm had still not addressed and noted the lack of even basic protections on the company’s website. Even the website set up by Equifax to provide information about the breach was riddled with security holes and some services flagged it as a phishing site.

The organization does not have a vulnerability disclosure program that would allow and encourage security experts to responsibly report the flaws they find.

The Apache Struts 2 vulnerability leveraged by cybercriminals to breach Equifax systems had been known and exploited for roughly two months before the attack on the company. Equifax said its security team knew about the flaw and is now trying to determine why an online dispute portal, which served as the initial point of entry, remained unpatched.

Experts pointed out that the Apache Struts flaw is not easy to fix, especially if you have many systems that need patching. However, they believe the problem can be addressed with modern security solutions.

Comodo discovered that more than 388 records of Equifax users and employees are up for sale on the dark web. The information, which includes usernames, passwords and login URLs, was apparently stolen using Pony malware. The security firm pointed out that some Equifax credentials were also exposed in third-party incidents, including the massive LinkedIn and Dropbox breaches.

“From third-party (non-company system) sources, we uncovered that Equifax’s chief privacy officer, CIO, VP of PR and VP of Sales, used all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year. This reveals that they didn’t follow basic security best practices and were lacking a complex password requirement,” Comodo said in a blog post.

Another security incident related to the company was brought to light by security blogger Brian Krebs, who was informed by researchers that an Equifax Argentina employee portal exposed 14,000 records, including credentials and consumer complaints.

The breach, the manner in which the company investigated the incident, and some of these security failings have led to a significant drop in Equifax shares. Before the hack was disclosed, Equifax stock was worth roughly $140, but it has now dropped to $92, and financial experts believe it could plunge as low as $50. The incident has already cost the company nearly $10 billion in market value.

Related: Scammers Offer to Sell Data Stolen in Equifax Hack

Related: Canadian Class Action Suit Launched Against Equifax Over Data Breach

Related: U.S. Watchdog Confirms Probe of Huge Equifax Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.