What happened at Equifax, and Should It Have Been Ready?
“If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax.”1 On September 14, the Federal Trade Commission (FTC) announced that it will be investigating the Equifax data breach.2 The FTC is empowered, through the Gramm-Leach-Bliley Act,3 to investigate data breaches and take enforcement action against those who cause unauthorized disclosure of personal information. Under the Act and FTC rules,4 an entity must take reasonable steps to prevent the loss of personal information and to protect their users. Did Equifax take reasonable steps to prevent the disclosure of its customers’ information?
Over the past few years, the FTC has taken a number of enforcement actions against companies who failed to take the necessary and appropriate steps to protect their users’ information. From the numerous consent decrees and actions brought by the FTC, it is fairly easy to get a sense for the kind of actions which are deemed unreasonable. On May 15 of this year, in a complaint where the FTC claimed that D-Link failed to take reasonable steps to protect the security of its users, the FTC entered into a consent agreement with D-Link.5 Specifically, D-Link “failed to use free software, available since at least 2008, to secure users’ mobile app login credentials, and instead have stored those credentials in clear, readable text on a user’s mobile device.”6 Also in 2016, the FTC entered into another such agreement with LifeLock. The FTC claimed that LifeLock “failed to use readily available security measures to routinely prevent unauthorized access to personal information, such as by installing patches and critical updates on its network” and “[d]id not adequately assess the vulnerability of the network and web applications to commonly known and reasonably foreseeable attacks, such as SQL injection attacks.”7
Very few particulars have come to light about the Equifax breach thus far. However, several reports indicate Equifax had a deficient security culture and failed to take basic measures to prevent the loss of information. Based on the above FTC proceedings, Equifax most likely failed to take reasonable action to secure the personal information which was entrusted to them by their users.
Some early reports have indicated that Equifax stores personal information in plaintext, however this has not been confirmed.8 The one piece of information which has been more or less confirmed is that the hackers gained access though a vulnerability in a program called Apache Struts.
Struts is a framework or toolkit for creating and maintaining web applications.9 Struts is used to build internet-facing web services like online stores and portals. An online store like Amazon.com would use tools like Struts to customize the content of the website for each user, and update its content dynamically as the user interacts with the site.
Such a framework, which allows the site to dynamically change and fit the preferences of the user, needs to be able to communicate with a database of information. The vulnerability at play here, named CVE-2017-9805, actually occurs when two Struts plugins, XStream and REST (representational state transfer), work together to communicate with the database server.10
The XStream plugin allows Struts to work with a markup language called XML. In this context, XML is simply a way of formatting information; web services use it to assure that an apple on one server does not get translated to an orange on the next.11
The other plugin, REST, is also vital to the operation of many Struts applications.12 REST allows applications to make requests over HTTP; this is preferred over other methods because it is easier to create and uses less bandwidth, making it more deployable on the internet.13 REST commonly has four main methods: GET (get information from the database), PUT (update information in the database), PATCH (change only one field in the database), POST (create a new entry in the database). Basically, REST uses XML to communicate with another system on the web, but more importantly, the REST plugin is what allows the application to request, acquire, and respond to data which is uploaded by the user and then communicate that data to and from the server.
A basic feature of a REST request is that instead of having all of the information for the request stored in a crazy URL, the REST request will organize everything, using XML, into what is called the HTTP body (think the body of an email). If a user is trying to access their account they would type in a username and password, the plugin would then format all of this information into the HTTP body, like so:
This information is then encrypted and sent to the server. The server de-encrypts the information, compares it to the record, and sends back the requested information.
What is interesting about XML and the XStream Plugin is that it is powerful enough to store all of the information required to build Java14 objects and almost any kind of program.15 Therefore, it is possible to use REST and XML to send packets of code to the server. Part of this loophole is intentional in design. Part of the request, called the HTTP header (think email subject line), tells the server how to interact with the coming data. However, in this case, if a request contained an unknown command, the server would throw an error and then attempt to run the command without checking to see if it contained any kind of malicious code.16 In other words, a malicious user can feed an entire program to the server, which the server will then run, by embedding the code into the HTTP header.
While this is all unwell and bad, does this mean that Equifax acted unreasonably?
The creator of Struts, Apache, identified this weakness in their system in March of 2017.17 Apache released a patch and encouraged their users to update. However, Apache cannot force users to update. A basic step in server security is to update often and to stay apprised of the latest weaknesses. Especially if those systems have unfettered access to all of the users’ personal information.
As in LifeLock and D-Link, Equifax failed to take the necessary steps of patching and updating its system.18 Further, Equifax did not analyze the vulnerability of its system to common forms of attack. The announcement of a major weakness in one of the largest web frameworks should have raised some eyebrows at Equifax, even more so because the vulnerability allowed code to be sent to and executed on the server. In a recent statement Richard Smith, former Equifax CEO, admitted that Equifax was aware of the weakness within its system as early as March 8.19 However, internal security audit and maintenance teams failed to patch the affected system.
For all of these reasons, it is likely that Equifax has failed to take reasonable precautionary steps to prevent the unauthorized disclosure of its users’ information.
Director of Technology, GLTR; Georgetown University Law Center, J.D. expected 2018; University of Florida, B.S. 2015. ©2017, Ethan Plail