Scribd
Upload
65 views

Third-Party Software Exploit - Case Study: Equifax/American, British, and Canadian Citizens

The document summarizes the 2017 data breach at Equifax where hackers exploited a vulnerability in the Apache Struts software. It took Equifax over two months to patch the vulnerability after it was disclosed, during which time hackers were able to access internal servers and extract sensitive personal data for over 147 million individuals. The breach occurred due to unpatched third-party software, insecure network design that allowed lateral movement, and insufficient monitoring that delayed breach detection for over two months.

Uploaded by

Luise Suarez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
65 views

Third-Party Software Exploit - Case Study: Equifax/American, British, and Canadian Citizens

The document summarizes the 2017 data breach at Equifax where hackers exploited a vulnerability in the Apache Struts software. It took Equifax over two months to patch the vulnerability after it was disclosed, during which time hackers were able to access internal servers and extract sensitive personal data for over 147 million individuals. The breach occurred due to unpatched third-party software, insecure network design that allowed lateral movement, and insufficient monitoring that delayed breach detection for over two months.

Uploaded by

Luise Suarez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Third-Party Software

Exploit - Case Study


Equifax/American, British, and Canadian Citizens
Modern software systems are largely comprised of third-
party software. Therefore companies must be diligent in
applying patches and closely monitor the status of third-
party vendors.
In this case a vulnerability in Apache Struts was disclosed
and clients were urged to patch it as soon as possible, which
Equifax failed to do for more than 2 months.
Third-Party
Software
Exploit According to the Verizon Data Breach Report 2019, 10% of
breaches happened in the financial industry and 71% of
breaches were financially motivated.
Equifax is an American credit bureau.
Between May and July of 2017 a data breach occoured which
disclosed private records of over 147.9 million Americans, 15.2
millon British citizens and around 19 thousand Canadian citizens.
Thereby it was one of the largest cybercrimes to this day in
regards to identity theft.

Attackers used a unpatched vulnerability in Apache Struts to gain


access into Equifax corporate network and internal servers.
During 76 day the attackers disguised themselves as an
authorized users and made thousands of database queries, and
finally extracted the data to a at least 34 different serces in 20
diffent countries.
March 7, 2017 - A key security patch was for Apache Struts was released
1

March 10, 2017 - A unkown hacking ground was searching the web for
2 websites that had not updated Struts.

May 12, 2017 – As determined through postmortem analysis the breach


3 started at this date where hackers gained access to internal servers of
Timeline Equifax’ corporate network throught the Struts vulnerability.
Equifax Attack
4 During 76 days the attackers multiple servers in various countries to extract
sensitive data of millions of American, British, and Canadian citizens.
5 July 29, 2017 – Equifax discovered the breach.

6 July 30, 2017 – Equifax shut of the exploit.


Unpatched Open-Source Insecure Network Design
Overall Summary Software
The Equifax coprporate
Unpatched Third- Apache Struts was still not network was not
Party Vulnerability in patched even about 2 sufficiently segregated and
a Open-Source months after the critical segmented, allowing for
Framework security update lateral movement of the
attackers.

Vulnerabilities
Data Security Breach Detection

Equifax did not sufficiently Equifax had insufficient


encrypt the personally monitoring and
identifiable information of vulnerability management
their customers. procedures in place, thus
only observing the
attacker’s activity after
more than 2 months on
being in their system.
Costs Prevention
• $ 300 Million as victim compensation • Regular software patching and open-source

• $175 Millipm tp the states and territories in the software vulnerability scans

agreement • Properly encrypt client data, especially PII

• $100 million to the Consumer Financil Protection • Segment network and use API gateways and

Bureau access policies to limit lateral movement

• Use a SIEM or IDS to monitor network activity

You might also like