Ever wonder how many warnings Equifax actually missed about serious vulnerabilities in the Apache Struts code it was using?
Well, wonder no more.
Our SecureWorld cybersecurity news team just completed a review of the Massachusetts lawsuit against Equifax.
It clearly spells out what Equifax failed to see or at least act on, over and over again. This failure to act is likely part of the reason the Equifax CEO 'retired' just 19 days after the breach.
Equifax Missed or Ignored Multiple Warning Signs
- Equifax missed or ignored the Apache Struts Warning
"On March 7, 2017, Apache published notice of a security vulnerability in certain versions of Apache Struts in its online security bulletins S2-045 and S2-046." These bulletins assigned the March security vulnerability a 'maximum security rating' of 'critical.' Specifically, it warned of the possibility of RCE, Remote Code Execution.
- Equifax missed or ignored the NIST Notice
"NIST also publicized the March Security Vulnerability in its NVD on or about March 10, 2017." It assigned the vulnerability score of 10.0 out of 10.0 in the CVSS, which is the Common Vulnerability Scoring System. In other words, this vulnerability was as bad as they come. And, by the way, there was something else, according to the Massachusetts Attorney General: "The NIST Notice also documented over twenty other website resources for advisories, solutions, and tools related to the March Security Vulnerability and how to patch or fix it."
- Equifax missed or ignored the US-CERT Security Bulletin
"Following the NIST Notice, the United States Computer Emergency Readiness Team (“US-CERT”) issued a security Bulletin (Bulletin (SB17-079)) on March 20, 2017, calling out the March Security Vulnerability as a “High” severity vulnerability (“US-CERT Alert”).
- Equifax missed or ignored updates to the MITRE Database
"Likewise, MITRE included the March Security Vulnerability in the Vulnerability Database and documented various external website references to the March Security Vulnerability." The MITRE Corporation, by the way, is 'a not-for-profit organization that operates research and development centers sponsored by the [United States] federal government,' that identifies code security vulnerabilities and maintains a free, publicly available database of known risks.
- Equifax missed or ignored news stories that exploitation of the Apache Struts vulnerability was underway
"In the days following the public disclosure of the March Security Vulnerability by Apache, media reports claimed that hackers were exploiting the March Security Vulnerability against numerous companies, including banks, government agencies, internet companies, and other websites."
So there you go. At least five different warning signs Equifax missed or ignored that lead to the mega breach for the company and identities at risk for 143 million Americans.
If you know of other cybersecurity bulletins that InfoSec teams track, or should, please comment below.
Perhaps the list of warnings Equifax missed or ignored is even longer.
For the latest in cybersecurity news, follow SecureWorld on LinkedIn, Twitter, or Facebook.
