'Equifax Breach: Two Executives Step Down as Investigation Continues' diff viewer (1/2)

This article is from the source 'nytimes' and was first published or seen on September 15, 2017 10:24 (UTC). It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.nytimes.com/2017/09/14/business/equifax-hack-what-we-know.html

The article has changed 6 times. There is an RSS feed of changes available.

Previous version 1 2 3 4 5 Next version

Previous version 1 2 3 4 5 Next version

Version 1	Version 2
~~What We Know and Don’t Know About the Equifax Hack~~	Equifax Breach: What We Know and Don’t Know
2017-09-15 19:00:08 UTC	2017-09-16 00:15:09 UTC (about 5 hours later)
SAN FRANCISCO — Last week, the consumer credit reporting company Equifax revealed that it had discovered a breach in its online systems that potentially impacted 143 million consumers. But many details about the breach and the computer security defenses at Equifax are still unclear.	SAN FRANCISCO — Last week, the consumer credit reporting company Equifax revealed that it had discovered a breach in its online systems that potentially impacted 143 million consumers. But many details about the breach and the computer security defenses at Equifax are still unclear.
• Hackers exploited a vulnerability in website software. They gained access to certain files containing names, Social Security numbers, birth dates, addresses and driver’s license numbers. Equifax also said the thieves lifted credit card numbers for about 209,000 consumers. The company ~~also~~ ~~said~~ that around 400,000 British consumers may have also been affected.	• Hackers exploited a vulnerability in website software. They gained access to certain files containing names, Social Security numbers, birth dates, addresses and driver’s license numbers. Equifax also said the thieves lifted credit card numbers for about 209,000 consumers. The company on Friday disclosed that around 400,000 British consumers may have also been affected.
• The breach was open from mid-May to July 29. That was when Equifax first detected it. The company said it had immediately worked to stop the ~~intrusion~~ and ~~hired~~ an ~~outside~~ ~~firm~~ to ~~determine~~ the scope and causes of the breach. It ~~has~~ ~~not~~ ~~disclosed~~ ~~the~~ ~~name~~ of ~~the~~ ~~consulting~~ ~~firm.~~	• The breach was open from mid-May to July 29. That was when Equifax first detected it. The company said it had immediately worked to stop the intrusion, and the following week engaged Mandiant, an independent cybersecurity firm, to oversee an investigation into the scope and causes of the breach.
• The hack involved a known vulnerability in software used by Equifax. The New York Post first reported that hackers had exploited a vulnerability in Apache Struts, a kind of open-source software that companies like Equifax use to build websites.	• The hack involved a known vulnerability in software used by Equifax. The New York Post first reported that hackers had exploited a vulnerability in Apache Struts, a kind of open-source software that companies like Equifax use to build websites.
On Thursday, Equifax confirmed that the breach involved a bug in Apache Struts, and identified the specific vulnerability. This security weakness was publicly identified in March and a patch to fix it had been available since then. ~~That~~ ~~means~~ ~~Equifax~~ ~~could~~ ~~have~~ ~~worked~~ to ~~plug~~ ~~the~~ ~~hole~~ ~~using~~ ~~readily~~ ~~available~~ ~~instructions~~ ~~two~~ ~~months~~ ~~before~~ ~~the~~ ~~breach~~ ~~occurred~~ ~~but~~ ~~did~~ ~~not.~~	On Thursday, Equifax confirmed that the breach involved a bug in Apache Struts, and identified the specific vulnerability. This security weakness was publicly identified in March and a patch to fix it had been available since then.
The rules for commercial use of open-source software can vary. Generally speaking, open-source software is built collaboratively by developers inside companies, academia and even hobbyists, and is available for free or at a low cost. Different types of Apache software are widely used all over the world.	The rules for commercial use of open-source software can vary. Generally speaking, open-source software is built collaboratively by developers inside companies, academia and even hobbyists, and is available for free or at a low cost. Different types of Apache software are widely used all over the world.
• It is ~~not~~ ~~clear~~ ~~who~~ ~~had~~ ~~access~~ to ~~the~~ website ~~software~~ ~~exploited~~ by ~~the~~ ~~hackers.~~ ~~Although~~ ~~Equifax~~ said ~~that~~ the ~~hackers~~ ~~had~~ ~~exploited~~ ~~the~~ ~~vulnerability~~ in a ~~“U.S.~~ website ~~application,”~~ ~~that~~ ~~does~~ ~~not~~ ~~mean~~ it ~~was~~ ~~one~~ of ~~the~~ ~~company’s~~ ~~public-facing~~ ~~websites.~~ It could ~~mean~~ ~~that~~ the ~~exploited~~ ~~software~~ ~~was~~ ~~only~~ ~~available~~ to ~~Equifax~~ ~~employees.~~ If ~~that~~ ~~was~~ the ~~case,~~ the ~~hackers~~ ~~who~~ ~~exploited~~ the ~~flaw~~ ~~could~~ ~~have~~ ~~had~~ ~~access~~ to the ~~company’s~~ ~~private~~ ~~network.~~	• The breach involved a public website application. The company said the breach occurred in a public website application where consumers could dispute the accuracy of credit information collected by the company. The company said it noticed suspicious traffic to the application on July 29 and took the application offline the next day. It then patched the vulnerability in the application and put the application back online.
• It is ~~also~~ ~~unclear~~ ~~why~~ the ~~company~~ ~~did~~ ~~not~~ ~~patch~~ ~~the~~ ~~vulnerability~~ and ~~why~~ ~~other~~ security ~~methods~~ ~~failed~~ to ~~stop~~ ~~the~~ ~~attack.~~ ~~Within~~ ~~three~~ ~~days~~ of ~~the~~ ~~vulnerability~~ ~~being~~ ~~revealed,~~ ~~public~~ ~~reports~~ ~~said~~ ~~that~~ ~~hackers~~ were ~~already~~ ~~exploiting~~ ~~the~~ ~~bug~~ on ~~websites.~~ ~~Had~~ ~~Equifax~~ ~~followed~~ ~~the~~ ~~advice~~ of ~~the~~ ~~community~~ of ~~software~~ ~~developers~~ ~~who~~ ~~oversee~~ ~~Struts,~~ ~~“this~~ ~~breach~~ ~~would~~ ~~not~~ ~~have~~ ~~occurred,”~~ said ~~Oege~~ de ~~Moor,~~ the ~~chief~~ ~~executive~~ of ~~the~~ ~~security~~ ~~firm~~ ~~Semmle.~~	• Equifax is making personnel changes following the hack. On Friday, Equifax said its chief information officer, Susan Mauldin, and its chief security officer, David Webb, were retiring. The company said the changes were “effective immediately.”
~~Mr.~~ de ~~Moor~~ said that the ~~publicly~~ ~~available~~ ~~instructions~~ ~~for~~ ~~patching~~ the bug ~~were~~ ~~“clear~~ and ~~simple.”~~	• It is not clear why the company’s security methods failed to stop the attack. Equifax said that it was aware of the vulnerability two months earlier and worked to patch the bug then. It is not clear why this patch was unsuccessful, and the company said that it may release additional information as its investigation into the incident continues.
~~But~~ ~~there~~ ~~are~~ ~~other~~ ~~ways~~ of ~~guarding~~ ~~against~~ ~~potential~~ ~~attacks.~~ Avivah Litan, a security analyst with the research firm Gartner, said that the bug alone was not to blame. “You have to have layered security controls,” Ms. Litan said. “You have to assume that your prevention methods are going to fail.”	Avivah Litan, a security analyst with the research firm Gartner, said that the bug alone was not to blame. “You have to have layered security controls,” Ms. Litan said. “You have to assume that your prevention methods are going to fail.”
• The perpetrators of the Equifax breach have not been identified. A group of hackers calling themselves the “PastHole Hacking Team” has claimed responsibility, and threatened to release the data on ~~Friday~~ if their ransom demand of 600 Bitcoin — roughly $2.5 million — is not met. In posts and communications with security researchers, members of the team claimed they were able to garner far more data than they expected when they targeted Equifax.	• The perpetrators of the Equifax breach have not been identified. A group of hackers calling themselves the “PastHole Hacking Team” has claimed responsibility, and threatened to release the data if their ransom demand of 600 Bitcoin — roughly $2.5 million — was not met. In posts and communications with security researchers, members of the team claimed they were able to garner far more data than they expected when they targeted Equifax.
• That doesn’t mean this group of hackers was really responsible. Intelligence officials and security analysts in private industry said that while it is far too early to say definitively who breached Equifax, the leading theory is that the company was hit by a nation-state or hackers operating on a nation-state’s behalf. They point to the sheer scale of theft, which most likely would have required a heightened degree of sophistication to pull off without being detected.	• That doesn’t mean this group of hackers was really responsible. Intelligence officials and security analysts in private industry said that while it is far too early to say definitively who breached Equifax, the leading theory is that the company was hit by a nation-state or hackers operating on a nation-state’s behalf. They point to the sheer scale of theft, which most likely would have required a heightened degree of sophistication to pull off without being detected.
Other security experts said it would be smart to consider motivation and intent. “Are cybercriminals going to try and sell circa 150 million records in dark web auctions? That’s nearly half the population of the United States,” said Thomas Boyden, president of GRA Quantum, a company that specialized in cyberattack incident response. “Are there standard cybercriminals out there with the purchasing power for that type of data?”	Other security experts said it would be smart to consider motivation and intent. “Are cybercriminals going to try and sell circa 150 million records in dark web auctions? That’s nearly half the population of the United States,” said Thomas Boyden, president of GRA Quantum, a company that specialized in cyberattack incident response. “Are there standard cybercriminals out there with the purchasing power for that type of data?”
Still, the detailed personal and financial information collected by a company like Equifax can be resold on the so-called Deep Web. It is much more valuable than credit card numbers, because it has a longer life span and can be used to access all kinds of other information, like bank accounts, loan details and medical records.	Still, the detailed personal and financial information collected by a company like Equifax can be resold on the so-called Deep Web. It is much more valuable than credit card numbers, because it has a longer life span and can be used to access all kinds of other information, like bank accounts, loan details and medical records.
• Have these hackers struck before? Mr. Boyden and others said that the breach had many parallels with previous breaches of personal information by nation-states and their contractors. Such government-affiliated hackers compile giant databases of stolen information to see if there is material that can be used for espionage or perhaps even blackmail. Using data-sifting technologies, they comb through massive collections of information to find useful material.	• Have these hackers struck before? Mr. Boyden and others said that the breach had many parallels with previous breaches of personal information by nation-states and their contractors. Such government-affiliated hackers compile giant databases of stolen information to see if there is material that can be used for espionage or perhaps even blackmail. Using data-sifting technologies, they comb through massive collections of information to find useful material.