Georgetown Law
Technology Review

“If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax.”1Seena Gressin, The Equifax Data Breach: What to Do, FED. TRADE COMMISSION: CONSUMER INFORMATION (Sept. 8, 2017), https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do. On September 14, the Federal Trade Commission (FTC) announced that it will be investigating the Equifax data breach.2Dustin Volz & Susan Heavey, FTC Probes Equifax, Top Democrat Likens It to Enron, REUTERS (Sept. 14, 2017, 9:38 AM), http://www.reuters.com/article/us-equifax-cyber-ftc/ftc-probes-equifax-top-democrat-likens-it-to-enron-idUSKCN1BP1VX?. The FTC is empowered, through the Gramm-Leach-Bliley Act,3Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338, 15 U.S.C. §§ 6801-6809, §§ 6821-6827. to investigate data breaches and take enforcement action against those who cause unauthorized disclosure of personal information. Under the Act and FTC rules,4Privacy Rule, 16 C.F.R. 313 (2000). an entity must take reasonable steps to prevent the loss of personal information and to protect their users. Did Equifax take reasonable steps to prevent the disclosure of its customers’ information?

Over the past few years, the FTC has taken a number of enforcement actions against companies who failed to take the necessary and appropriate steps to protect their users’ information. From the numerous consent decrees and actions brought by the FTC, it is fairly easy to get a sense for the kind of actions which are deemed unreasonable. On May 15 of this year, in a complaint where the FTC claimed that D-Link failed to take reasonable steps to protect the security of its users, the FTC entered into a consent agreement with D-Link.5Fed. Trade Comm’n v. D-Link Sys., Inc., No. 3:17-cv-00039-JD, DE 74-75 (N.D. Cal. May 5, 2017) (joint stipulation and order dismissing D-Link Corporation without prejudice). Specifically, D-Link “failed to use free software, available since at least 2008, to secure users’ mobile app login credentials, and instead have stored those credentials in clear, readable text on a user’s mobile device.”6Fed. Trade Comm’n v. D-Link Sys., Inc., No. 3:17-cv-00039-JD, 2017 WL 65168 (N.D.Cal. Jan. 5, 2017) (complaint). Also in 2016, the FTC entered into another such agreement with LifeLock. The FTC claimed that LifeLock “failed to use readily available security measures to routinely prevent unauthorized access to personal information, such as by installing patches and critical updates on its network” and “[d]id not adequately assess the vulnerability of the network and web applications to commonly known and reasonably foreseeable attacks, such as SQL injection attacks.”7Fed, Trade Comm’n v. LifeLock, Inc., No. CV-10-00530-PHX-JJT, 2016 WL 692048 (D. Ariz. Jan. 4, 2016) (complaint).

Very few particulars have come to light about the Equifax breach thus far. However, several reports indicate Equifax had a deficient security culture and failed to take basic measures to prevent the loss of information. Based on the above FTC proceedings, Equifax most likely failed to take reasonable action to secure the personal information which was entrusted to them by their users.

Some early reports have indicated that Equifax stores personal information in plaintext, however this has not been confirmed.8Ron Miller, Security Researchers Find Gross Deficiencies on Equifax Argentina Site, TECHCRUNCH (Sept. 13, 2017), https://techcrunch.com/2017/09/13/security-researchers-finds-gross-deficiencies-on-equifax-argentina-site/. The one piece of information which has been more or less confirmed is that the hackers gained access though a vulnerability in a program called Apache Struts.

Struts is a framework or toolkit for creating and maintaining web applications.9Apache Struts 2, TUTORIALSPOINT, https://www.tutorialspoint.com/struts_2/ (last visited Sept. 23, 2017). Struts is used to build internet-facing web services like online stores and portals. An online store like Amazon.com would use tools like Struts to customize the content of the website for each user, and update its content dynamically as the user interacts with the site.

Such a framework, which allows the site to dynamically change and fit the preferences of the user, needs to be able to communicate with a database of information. The vulnerability at play here, named CVE-2017-9805, actually occurs when two Struts plugins, XStream and REST (representational state transfer), work together to communicate with the database server.10Scott Caveza, Apache Struts REST Plugin XStream XML Request Deserialization RCE (CVE 2017-9805), TENABLE: TENABLE BLOG (Sept. 6, 2017), https://www.tenable.com/blog/apache-struts-rest-plugin-xstream-xml-request-deserialization-rce-cve-2017-9805.

The XStream plugin allows Struts to work with a markup language called XML. In this context, XML is simply a way of formatting information; web services use it to assure that an apple on one server does not get translated to an orange on the next.11Tom Myer, A Really, Really, Really Good Introduction to XML, SITEPOINT (Aug. 24, 2005), https://www.sitepoint.com/really-good-introduction-xml/.

The other plugin, REST, is also vital to the operation of many Struts applications.12Apache Struts 2 Documentation: REST Plugin, APACHE STRUTS 2, http://struts.apache.org/docs/rest-plugin.html (last visited Sept. 23, 2017). REST allows applications to make requests over HTTP; this is preferred over other methods because it is easier to create and uses less bandwidth, making it more deployable on the internet.13Margaret Rouse, REST (Representational State Transfer), TECHTARGET, http://searchmicroservices.techtarget.com/definition/REST-representational-state-transfer (last updated Dec. 2014). REST commonly has four main methods: GET (get information from the database), PUT (update information in the database), PATCH (change only one field in the database), POST (create a new entry in the database). Basically, REST uses XML to communicate with another system on the web, but more importantly, the REST plugin is what allows the application to request, acquire, and respond to data which is uploaded by the user and then communicate that data to and from the server.

A basic feature of a REST request is that instead of having all of the information for the request stored in a crazy URL, the REST request will organize everything, using XML, into what is called the HTTP body (think the body of an email). If a user is trying to access their account they would type in a username and password, the plugin would then format all of this information into the HTTP body, like so:

<XML>

<user>

<username>JohnSmith</username>

<password>thebestpassword</password>

</user>

</XML>

This information is then encrypted and sent to the server. The server de-encrypts the information, compares it to the record, and sends back the requested information.

What is interesting about XML and the XStream Plugin is that it is powerful enough to store all of the information required to build Java14Java is a widely used general purpose programming language which is commonly used to create web connected applications. objects and almost any kind of program.15XStream Documentation: Security Aspects, GITHUB: XSTREAM, https://github.com/x-stream/xstream (last visited Sept. 23, 2017) (“This flexibility comes at a price. XStream applies various techniques under the hood to ensure it is able to handle all types of objects. This includes using undocumented Java features and reflection. The XML generated by XStream includes all information required to build objects of almost any type. This introduces a potential security problem.”). Therefore, it is possible to use REST and XML to send packets of code to the server. Part of this loophole is intentional in design. Part of the request, called the HTTP header (think email subject line), tells the server how to interact with the coming data. However, in this case, if a request contained an unknown command, the server would throw an error and then attempt to run the command without checking to see if it contained any kind of malicious code.16Paul Ducklin, How a Serious Apache Vulnerability Struts Its Stuff, NAKEDSECURITY (Mar. 14, 2017), https://nakedsecurity.sophos.com/2017/03/14/how-a-serious-apache-vulnerability-struts-its-stuff/; Paul Ducklin, Apache Struts “Serialisation” Vulnerability – What You Need to Know, NAKEDSECURITY (Sept. 6, 2017), https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vulnerability-what-you-need-to-know/. In other words, a malicious user can feed an entire program to the server, which the server will then run, by embedding the code into the HTTP header.

While this is all unwell and bad, does this mean that Equifax acted unreasonably?

The creator of Struts, Apache, identified this weakness in their system in March of 2017.17Lukasz Lenart, S2-045, APACHE STRUTS 2 DOCUMENTATION: SECURITY BULLETINS, https://cwiki.apache.org/confluence/display/WW/S2-045 (last modified Mar. 19, 2017). Apache released a patch and encouraged their users to update. However, Apache cannot force users to update. A basic step in server security is to update often and to stay apprised of the latest weaknesses. Especially if those systems have unfettered access to all of the users’ personal information.

As in LifeLock and D-Link, Equifax failed to take the necessary steps of patching and updating its system.18Lily Newman, Equifax Officially Has No Excuse, WIRED: SECURITY (Sept. 14, 2017, 1:27 PM), https://www.wired.com/story/equifax-breach-no-excuse/. Further, Equifax did not analyze the vulnerability of its system to common forms of attack. The announcement of a major weakness in one of the largest web frameworks should have raised some eyebrows at Equifax, even more so because the vulnerability allowed code to be sent to and executed on the server.  In a recent statement Richard Smith, former Equifax CEO, admitted that Equifax was aware of the weakness within its system as early as March 8.19Elizabeth Dexheimer, Equifax Made Major Errors That Led to Hack, Smith Concedes, BLOOMBERG (Oct. 3, 2017), http://www.msn.com/en-us/money/companies/equifax-made-major-errors-that-led-to-hack-smith-concedes/ar-AAsNC8h. However, internal security audit and maintenance teams failed to patch the affected system.

For all of these reasons, it is likely that Equifax has failed to take reasonable precautionary steps to prevent the unauthorized disclosure of its users’ information.