Equifax said a breach it discovered in March was not related to the second, massive breach the company disclosed in September though the hackers were reportedly the same, according to sources who spoke with Bloomberg, and the same vulnerability in Apache Struts was exploited in both incidents.
"Equifax complied fully with all consumer notification requirements related to the March incident," according to a company statement. "The two events are not related."
The motive behind the breach discovered in March may have been entre into banking and financial institution networks, Bloomberg reported, noting that the Equifax called in Mandiant to investigate in both instances.
The later breach has already cost the company its CSO and CIO, who announced their retirement plans last week; drawn the scrutiny of financial regulators and has Congress questioning the company's security practices and the sell-off of stock by three Equifax executives just three days after the mega breach was discovered in July but more than a month before it was revealed publicly; and spawned legislation and regulatory action.
Equifax has been publicly skewered for both its delay in disclosing the massive breach that exposed the personal data of 143 million American consumers and patching the vulnerability in Apache Struts that was fixed in March.
Similar flaws are discovered frequently, but “the cause though was a failure on Equifax's part to patch the issue when a fix became available,” said Leigh-Anne Galloway, cybersecurity resilience officer at Positive Technologies.
“Equifax's overt negligence is undoubtedly reprehensible, however I think the waterfall of harsh critique also becomes unfair,” said High-Tech Bridge CEO Ilia Kolochenko, who explained that Equifax's tale is not a solitary one. “The sad and inconvenient truth is that a majority of large companies have similar challenges, problems and weakness in their cybersecurity.”
Noting that “most companies still fail to maintain a proper application inventory and thus keep critical vulnerabilities unpatched for months,” Kolochenko said, “Worse and the more alarming is that some companies never even detect the breaches due to the sophistication and professionalism of the attackers.”
Recent research reports suggest “that application security is a globally underestimated risk, and it's just unfair to shift the entire punitive burden and overall responsibility to Equifax,” Kolochenko said.
“More often than not, we are seeing breaches as a result of an organization's failure to implement security 101 principles, proper patch management, secure software development, processes and procedures. It's the basic things that organizations fail to do, again and again,” Galloway said.
Michael Patterson, CEO of Plixer explained that often the issue is that companies are motivated to patch systems based on risk. “Equifax may have had other more pressing IT projects at the time the Apache software update was released,” Patterson said. “Perhaps someone in IT at Equifax decided that a new feature in a software system took priority or maybe something like integration with a strategic partner which lead to increased sales. Any number of reasons like this could be behind why the patch wasn't applied immediately. However, this was a critical patch and the outcome has been devastating.”
Although Patterson said companies can't “defend against all attacks due to their dynamic nature,” he suggested they “have rapid response procedures in place to detect and remediate attacks in a shorter period of time.”
Simon Townsend, chief technologist at Ivanti, advocated for the “unification of IT technology, people and processes” so that the CIO, who “carries the ultimate responsibility for securing and protecting the business” and often takes the fall for a breach, can have better visibility of both discovered data points and actionable tasks.”