igor - Fotolia

Warning for Equifax security issues came months before breach

A security researcher reportedly disclosed a number of Equifax security issues to the company months before the major data breach, and none of the problems were fixed.

A new report alleges the Equifax security issues were far worse than originally thought, and some warnings may have gone unheeded for months prior to the company being breached.

A security researcher claimed to have disclosed a number of Equifax security issues in December 2016 -- approximately three months before the initial breach of Equifax systems.

One of the Equifax security issues detailed by the unnamed researcher in a report by Motherboard said an Equifax website exposed the personally identifiable information (PII), including names, city and state locations, social security numbers and birthdates, though a forced-browsing bug.

Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said this sort of bug was "inexcusable in this day and age."

"[Andrew] 'Weev' Auernheimer went to prison over exploiting a forced-browsing bug that revealed far less sensitive information than that revealed through the Equifax web applications," Williams told SearchSecurity. "That a company would be notified about a forced-browsing issue exposing PII and then fail to fix it in the current security climate borders on negligence."

Beyond that bug, the researcher said they found Equifax servers running outdated software and vulnerable to SQL injection attacks, allowing shell access to those systems.

Peter Tran, general manager and senior director of worldwide advanced cyberdefense practice at RSA Security, based in Bedford, Mass., said the Equifax security issues were not unique, but "the table stakes increase exponentially in PII-intensive businesses."

"Blind spots in vulnerability monitoring and visibility can go off the rails very fast, particularly over publicly web-facing assets open to overwhelming amounts of probing and reconnaissance," Tran told SearchSecuruty. "It's a double bubble: If one security layer pops, you can pop the other -- i.e., the classic SQL injection blind spot."

Equifax security response

That a company would be notified about a forced-browsing issue exposing PII and then fail to fix it in the current security climate borders on negligence.
Jake Williamsfounder of Rendition Infosec

With the disclosure of these problems to Equifax, the security researcher asked the company to at least take down the public access to these servers. However, Equifax didn't take action until June -- approximately three months after the company had been breached via an unrelated Apache Struts vulnerability and one month before the company detected that breach.

Hector Monsegur, director of assessment services at Seattle-based Rhino Security Labs, said the "entire situation is inexcusable." But, unfortunately, he said he could also "see how vulnerability warnings may have gone under the radar."

"This is common among organizations with large attack surfaces, vast amount of employees and no coordination between its various IT departments. Unless they drastically change their current state of security, I fear the situation may be getting worse," Monsegur told SearchSecurity. "Eventually, large organizations with lax security will be facing a reality check: There are consequences to major blunders in security. Attorneys general across the United States have been taking action against companies who are not properly safeguarding financial or customer information. Being 'too large to fail' is no longer a free pass."

Rick Holland, vice president of strategy for San Francisco-based Digital Shadows, said the revelation of these latest Equifax security issues makes it "even more difficult to accept former CEO Richard Smith's explanation that a single employee 'not doing their job' was the reason this intrusion occurred."

"Systemic issues in Equifax's vulnerability management program were more likely to have contributed to this breach than a single person. Given the nature of Equifax's data, they were highly likely to be targeted by a vast array of threat actors from nation states to hactivists to cybercriminals," Holland told SearchSecurity. "If their security program is as weak as it is being reported, then you probably had multiple threats actors stepping all over themselves as they probed and pivoted across the environment."

Jules Okafor, vice president of cyber risk programs at Fortress Information Security in Orlando, Fla., said the Equifax security issues appeared systemic.

"Experts attribute Equifax's breach to a combination of small, but incremental technical lapses. Yet, breaches at large enterprises can be directly attributed to failed processes and priorities -- innovation over security, single points of failure and a siloed approach to vulnerability risk management," Okafor told SearchSecurity. "These are systemic issues that impact a security team's ability to detect, respond and remediate critical threats in a timely fashion."

Next Steps

Learn tips on securing SQL servers and protecting databases from attacks

Find out why security is a shared responsibility

Get info on incident response tools that can automate security

Dig Deeper on Security operations and management