Equifax announced yesterday that more data than previously thought was breached in the hack announced last year.
While the number of individuals believed to be affected by the infiltration has not increased from the last count of 148 million, the ongoing audit has revealed that 38,000 US drivers’ licenses and 3,200 passport details had been uploaded to the portal. Other details which were exposed include names and dates of birth, social security numbers, address information and card numbers and expiry dates of payment cards.
The cost of the breach to Equifax so far is estimated to be around $243 million, $60 million of which is covered by insurance. As well as financial cost, the breach – and the circumstances around it, compounded by poor handling of disclosure, delay in revealing the information, and allegations of insider trading – has had major reputational consequences. In the six months following the breach, the Consumer Financial Protection Bureau received over 20,000 complaints about the company and its handling of the issue.
Equifax’s name has become synonymous with corporate security negligence
– Dell Cameron, Gizmodo
However, despite criticisms of both how the breach occurred (a failure to patch systems following the disclosure of the bug that made the hack possible) and the company’s handling of the disclosure, Equifax shareholders voted last week to re-elect all of the company’s board members. In a letter to the shareholders last month, investment advisor CtW Investment Group advised against re-electing the board, on the grounds that they had been warned repeatedly about the security concerns which let the breach happen and had failed to act.
What’s more, despite the media attention drawn by the sheer scale of the breach, it doesn’t look particularly likely to result in significant change. Not only have board members accused of negligence been re-elected, some of the world’s wealthiest companies are still using – or have since introduced – the same insecure software exploited in the Equifax breach.
According to data provided by open-source automation firm Sonatype, since then at least 10,800 companies have since downloaded vulnerable versions of Apache Struts – including over half of the Fortune Global 100, and at least seven tech giants. Of these, as many as 3,049 organisations downloaded software with the exact same vulnerabilities (CVE-2017-5638) exploited in the Equifax breach.
“Downloading vulnerable versions of Struts is a symptom of a broader hygiene issue,” says Wayne Jackson, Sonatype’s CEO. “The problem is that these organizations don’t care enough to exert control, or don’t have infrastructure in place to know what’s being used.”
However, it’s not necessarily the case that all of these downloads resulted in deployments which could put further data at risk.
“Developers will have a number of reasons for downloading older versions of Apache Struts, to reproduce running environments and diagnose regressions,” pointed out Mark Cox, a member of Apache Software Foundation’s Security Team. Given how high profile the Equifax breach was, and the role in it of the software’s vulnerabilities, it’s certainly preferable to think that at least some of these downloads, particularly at tech giants, were for research and testing purposes.