Gotta admire the artful way they gave the appearance of disclosure while avoiding answering the most damning question: why did it take so long for them to patch Struts?
"The particular vulnerability in Apache Struts was identified and disclosed by U.S. CERT in early March 2017."
"Equifax's Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure."
?????????!!!!!!??????
"While Equifax fully understands the intense focus on patching efforts, the company's review of the facts is still ongoing."
I have a different question. So here's their timeline:
MARCH 2017 - Vuln in Struts is disclosed by CERT.
MAY 13 - Initial intrusion happens according to FireEye's later analysis
JULY 29 - Equifax notices weird activity.
JULY 30 - Equifax notices more weird activity.
JULY 30 - Equifax takes down affected web site
JULY 30ish? - Equifax realized vuln was Struts. Patches. Puts site right back up.
AUG 2 - Hire FireEye to check things out
(weeks) - FireEye assesses situation and presumably Equifax panics
SEP 7 - Equifax makes intrusion public, offers self-described "comprehensive package" including the web site "so that consumers can quickly and easily find the information they need".
At SOME point, they kind of shove in the statement that following entities were notified:
* FBI
* all U.S. State Attorneys General
* other federal regulators.
My question is WHEN did this happen? It's my understanding there are rules-- state and federal-- about when law enforcement (and affected parties) need to be notified on a breach of this size involving this type of sensitive information.
I hope Equifax will be learning from this, but can you tell your CEO that your core business must be shut down for 3 weeks as you upgrade and rebuild the system?
Yes, the risk is much higher than the cost. From the article:
> The company's internal review of the incident continued. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.
That bullet point lies between the "July 30th" and "August 2nd" bullet points. Based on that timeline, the vulnerability took days to patch.
The reason they don't is that they just don't care... and for their business that's the rational decision. Data security isn't as core to their business as it is to a bank. If a bank has a breach, bank accounts get drained. If Equifax has a breach, it's annoying but manageable fines and their CEO gets grilled in a few congressional hearings.
Equifax's core business is about giving out credit scores. I'd bet their biggest fear is giving someone a high score when they deserve a low one. Data breaches, moderately inaccurate information... a nuisance, but a sideshow.
"The particular vulnerability in Apache Struts was identified and disclosed by U.S. CERT in early March 2017."
"Equifax's Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure."
?????????!!!!!!??????
"While Equifax fully understands the intense focus on patching efforts, the company's review of the facts is still ongoing."