AXEL.org

equifax

Devastating Data Breaches – Part 3: The Negligence of Equifax

Data breaches, in the traditional sense, have existed for centuries. Although we think of data breaches as a relatively new phenomenon due to the sheer prevalence of attacks we see today, data breaches have been causing headaches to businesses and consumers for a long, long time. Of course, before computers, a data breach meant the exposing of physical papers with confidential information on them. Before the Internet, the amount of damage that could be done was limited by the physical amount of data you could steal. After all, there’s only a finite amount of confidential papers a criminal can sneakily fit in a briefcase. Because of this, the amount of damage done by data breaches was limited.

However, once Internet usage became widespread, the potential damage of a data breach skyrocketed. Millions of consumer records could be stored digitally, ripe for the picking for any cybercriminal with enough knowledge and skill. Ultimately, the Internet ushered in the great data breach boom. And no case is more symbolic of this new trend than the Equifax data breach of 2017.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches.

Equifax’s Lax Security

Equifax, one of the three major credit bureaus in the United States, has held mountains of information on millions of Americans for decades. Of course, recording and analyzing this personal information is what a credit bureau does, and their existence is necessary in today’s world. However, because of the sheer amount of information that credit bureaus have, they also hold more responsibilities than most other businesses. Specifically, these businesses have increased responsibility for protecting data and preventing cybercrime. Unfortunately, Equifax reneged on this responsibility in 2017.

On March 7, 2017, Apache Struts, a software program that Equifax and thousands of other companies used, announced a security vulnerability in the software, and immediately sent an update to Equifax to patch the security hole [1]. For reasons unknown, the software was never updated by Equifax, creating a massive security vulnerability. Just a week later, Equifax ran a scan for unpatched systems, but the Apache Struts security hole was not flagged [1]. Ultimately, these two errors put Equifax’s data at massive risk, as the software’s security flaw was publicly known. Just a few days after Equifax’s initial error, the risk became realized.

The Breach

On March 10, 2017, the perpetrators first gained access to Equifax’s servers. However, the cybercriminals did not do much for the next few months, likely to evade detection by Equifax IT. However, by May, the hackers began their attack [2]. For the next two months, the hackers gained access to multiple Equifax databases, They then encrypted this data, and extracted it right under Equifax’s nose. Not long after, the perpetrators were in control of millions of Social Security numbers, birth dates, names, driver’s license numbers, and credit card numbers. After months of investigations, it was determined that the cybercriminals made away with the vital personal information of over 140 million people [3].

To make matters worse, Equifax could’ve had one last line of defense when the hackers were extracting the encrypted data. Most companies receive notifications when a large amount of encrypted data is exfiltrated. However, in another cybersecurity blunder by Equifax, the company failed to renew a vital security service that inspects encrypted data traffic [1]. Because of this, the hackers made away with the data with no detection.

The Response

In August 2017, Equifax became aware of the cybersecurity incident, but did not reveal the attack to the public until September [1]. While Equifax attempted to provide resources to those affected, even the company’s response to the attack was widely panned. For example, Equifax’s social media team directed affected consumers to incorrect web pages on multiple occasions [1]. Even worse, it was revealed that multiple Equifax executives sold USD $1.8 million in Equifax stock following the company’s discovery of the attack, but before it was publicly announced [4]. One executive, Equifax’s Chief Information Officer, was eventually convicted of insider trading related to the attack [5]. Simply put, Equifax’s response to the crisis was woefully inept, and the affected consumers were furious. Eventually, this frustration resulted in litigation.

In the following years, a class-action lawsuit was filed on behalf of the affected consumers, and Equifax’s penalty was steep. In July 2019, Equifax agreed to settle the case, paying USD $1.38 billion to resolve consumer complaints, and USD $380.5 million to those who were harmed by the breach [6]. While those numbers are large, the large number of victims meant that the maximum payout was only USD $125 [1]. Additionally, Equifax was required to provide free credit monitoring to all those affected by the breach.

For months, investigators waited for the stolen data to appear on the dark web to be sold to spammers and scammers. However, the stolen personal information never appeared. Ultimately, this led to the belief that state-sponsored actors were behind the attack. This meant the purpose of the attack was not to make money, but for espionage. For years, it was unknown who was behind the breach. However, in 2020, the United States Department of Justice abruptly charged four Chinese military members with the attack [1]. While the four potential perpetrators are unlikely to ever be extradited to stand trial, these charges at least provide a theory of who was behind this massive data breach.

Protect Your Data with AXEL Go

AXEL is committed to protecting your data from scammers, spammers, and cybercriminals. And the best way to fight against cyberattacks is to be prepared. That’s why AXEL Go, AXEL’s secure file-storage application, uses military-grade encryption and blockchain technology to safeguard your data. To try out AXEL Go’s unparalleled data security, sign up for a two-week free trial here

[1] Fruhlinger, Josh. “Equifax Data Breach FAQ: What Happened, Who Was Affected, What Was the Impact?” CSO Online. February 12, 2020. https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html.

[2] Riley, Michael, Jordan Robertson, and Anita Sharpe. “The Equifax Hack Has the Hallmarks of State-Sponsored Pros.” Bloomberg.com. September 29, 2017. https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros.

[3] Leonhardt, Megan. “Equifax to Pay $700 Million for Massive Data Breach. Here’s What You Need to Know about Getting a Cut.” CNBC. July 23, 2019. https://www.cnbc.com/2019/07/22/what-you-need-to-know-equifax-data-breach-700-million-settlement.html.

[4] Hudson, Phil. “Equifax Gets Blasted for Cybersecurity Hack on Social Media.” Bizjournals.com. September 8, 2017. https://www.bizjournals.com/atlanta/news/2017/09/08/equifax-gets-blasted-for-cybersecurity-hack-on.html.

[5] Liptak, Andrew. “Former Equifax Executive Sentenced to Prison for Insider Trading Prior to Data Breach.” The Verge. June 29, 2019. https://www.theverge.com/2019/6/29/20056655/jun-ying-equifax-breach-jail-time-insider-trading-department-of-justice.

[6] Brumfield, Cynthia. “Equifax’s Data Breach Disaster: Will It Change Executive Attitudes toward Security?” CSO Online. July 24, 2019.  https://www.csoonline.com/article/3411139/equifax-s-billion-dollar-data-breach-disaster-will-it-change-executive-attitudes-toward-security.html.

Hackers Enjoy Open Season for Data

Much like open mic night at the local Giggle Barn, the hacks just keep on coming. In the last four weeks alone, there have been many developments. Here are some of the most publicized cases.

Equinix ransomware

Equinix is a large data center based in Redwood City, California. Obviously, data centers are prime targets for threat actors. They’re equivalent to banks for bank robbers. Over the U.S. Labor Day holiday weekend, hackers from the group “NetWalker” gained access to Equinix’s systems and unleashed their ransomware.

NetWalker’s payload operates similarly to other ransomware. Once it has infected a network, sensitive files are encrypted, and the hackers demand a hefty ransom to unlock them. NetWalker is interesting because there seems to be a connection to Russia in at least a semi-official capacity. One of their core tenets is not attacking entities located in Russia or the Commonwealth of Independent States. Whatever their affiliations, it’s undeniable that they have been successful recently. Since March this year, they have collected $25 million[1] in ransom.

They have demanded $4.5 million alone for the Equinix incident. It is unknown if Equinix has paid at the moment, but NetWalker has a history of dumping the affected files on black marketplaces once the deadline expires. So, it should be known soon whether they reached a deal.

$5.4 million crypto heist

On September 8th, thieves stole $5.4 million in various cryptocurrencies from the Slovakian exchange, Eterbase. The cyber bandits got away with undisclosed amounts of Bitcoin, Ethereum, Ripple, Tezos, Algorand, and TRON. They moved the stolen crypto into wallets housed on major exchanges such as Binance and Huobi.

Eterbase claims they have the capital necessary to take the hit and will reimburse any affected investor.  They have already notified the proper authorities and are working with the other exchanges to track the culprits. Heists such as this have caused other small exchanges to close in the past, so it’s good to see Eterbase holding firm.

300K WordPress sites exploited

On September 1st, those in the cybersecurity community found a critical vulnerability in specific versions (6.0-6.8) of the File Manager plugin for WordPress. When exploited, it allows malicious actors to run unauthorized code. While the exploit was closed quickly with the release of version 6.9, analysts conclude that up to 300,000 websites are still susceptible.

Since finding the exploit, hackers have been probing WordPress sites non-stop. In a strange twist, many hackers have found themselves fighting off other hackers after gaining illicit access to a site. Hackers hacking hackers.

If you run a WordPress website with the File Manager plugin, please check to ensure you’re running version 6.9 (or higher if you’re reading this in the future). If not, update immediately.

Argentinian government attacked

NetWalker sure is busy! Less than two weeks before the Equinix attack, the hacker gang disrupted operations of Argentina’s national immigration agency.  On the morning of August 27th, workers for the agency noticed that certain Windows files and shared folders were inaccessible. It resulted in a momentary closure of border stations throughout the country while they contained the breach.

NetWalker demanded $2 million to restore access, then upped it to $4 million when the deadline passed. Argentinian officials aren’t worried, however. They say they will refuse to negotiate with the group and don’t intend to recover the compromised information.

Russian arrested for trying to bribe Tesla employee

This story isn’t about a successful attack, but the attempt is so fascinating it needed a mention. On August 22nd, FBI authorities arrested a Russian man for attempting to bribe a Tesla employee. Egor Igorevich Kriuchkiv offered the worker $1 million to install ransomware on the electric car manufacturer’s internal servers.

Luckily, the Russian-speaking employee did not take up Egor’s offer, instead opting to notify law enforcement. A sting operation led by the FBI eventually resulted in the would-be hacker’s arrest.

It’s nice to see a foiled plot instead of a multimillion-dollar ransom every once in a while.

Iranian hacker group sells admission to compromised networks

This month, intelligence experts revealed that a hacker gang supporting Iran’s Ministry of Intelligence is selling access to international corporate networks on the Dark Web. The group is known as Pioneer Kitten, aka Fox Kitten, aka PARISITE, and is notorious in the global cyber intelligence community. First identified in 2017, Pioneer Kitten typically attacks VPN exploits to gain access to sensitive information deemed as useful intelligence by Tehran.

Starting in late July, the group began selling access to corporate and government networks throughout the world. This included compromised systems in countries such as the United States, Israel, Australia, France, Germany, the United Arab Emirates, and more. The attacks centered around tech, defense, and healthcare organizations, all of which store vast amounts of confidential data.

Analysts believe the sale of this high-value intelligence information would not be permitted by the Iranian government, leading to speculation that the group is not an official state entity, and only contracted by Tehran.

The University of Utah suffers a ransomware attack

On August 19th, The University of Utah admitted hackers carried out a successful ransomware attack in late July. The malicious agents encrypted student information on the College of Social and Behavioral Science’s servers. In the end, the university paid out over $450K to prevent the data from leaking to a Dark Web marketplace.

A representative for the university confirmed that a cybersecurity insurance policy paid the sum and that no taxpayers were on the hook. The rep also claimed the hack did not affect any central servers.

While it did not end up being a multimillion-dollar incident like other high-profile attacks, the use of cybercrime insurance is noteworthy. The trend of commonplace insurance is likely to continue as more attacks occur. Ironically, organizations known to have policies may become higher-priority targets, since hackers assume they will receive a payout.

1TB data stolen from liquor manufacturer

Brown-Forman, a United States spirits and wine conglomerate, announced in mid-August that they experienced a 1TB data breach. The parent company of brands such as Jack Daniels, Korbel wine, and Finlandia vodka fell victim to infamous hacker group REvil. Also known as Sodinokibi, REvil has many well-known incidents under their digital belts, including attacks against pop-star Lady Gaga and U.S. President Donald Trump.

The hackers gained access to many confidential documents, including business contracts, financial statements, and employee information. It could have been worse for the beverage giant; however, as the criminal syndicate was not able to encrypt any data. Nonetheless, REvil threatened to sell the information online if they did not receive a hefty ransom. Brown-Forman does not appear to be cooperating. At AXEL, we believe this hardball approach is the right one. Do not negotiate with terrorists.

Canon’s stolen files leaked

In early August, the camera and photo-equipment manufacturer, Canon, underwent a Maze ransomware attack. It was so bad, their image.canon website was down for six days. Canon refused to pay and was evidently able to unlock a portion of the infected files.

Then, on August 14th, the Maze gang released 5% of their ill-gotten data treasure to the internet. Their website claims it was only 5% of the files they have. It’s been a month since the leak, and there hasn’t been any further news on the subject. This leads some to believe Canon acquiesced and paid not to have more information revealed.

Data security

As you probably noticed, hacking is big business these days. With the recent proliferation of remote desktops, sophisticated phishing attacks, and cybercrime insurance policies, it doesn’t appear that it will end any time soon.

That’s why individuals and businesses alike need robust, secure data storage and sharing solutions. AXEL Go is the best application to fit these needs. AXEL Go allows for private, secure storage and sharing. Based on IPFS and blockchain technology, users receive high performance and protection not seen in other platforms. Optional AES-256 bit password encryption locks things down even further to prevent any unauthorized access. Try out our full-featured Basic service for free.

 

[1] Catalin Cimpanu, “NetWalker ransomware gang has made $25 million since March 2020”, ZDNet, Aug. 3, 2020, https://www.zdnet.com/article/netwalker-ransomware-gang-has-made-25-million-since-march-2020/#:~:text=The%20NetWalker%20gang%20has%20established,dangerous%20ransomware%20groups%20out%20there.&text=The%20operators%20of%20the%20NetWalker,security%20firm%20McAfee%20said%20today.

6 textbook examples of how NOT to respond to a Data Breach (Seriously guys?)

Yahoo: Do nothing and pray it goes away

Why are we surprised at this?! When Yahoo suffered a breach in 2013, it decided to just keep quiet about the 3 billion accounts that were compromised. Surely this would prove to be an effective strategy?

LOL.

The news broke a whole FOUR years later, in 2017, that 3 billion accounts had been hacked, which is more than the company claimed in 2016, which is the first time anyone heard anything about a data breach. We shouldn’t really be surprised, as “do nothing and pray it goes away” has been Yahoo’s MO for quite some time now.

FriendFinder Networks: Take days to respond and then downplay the incident in a vague press release

FriendFinder Networks is a company that you’d reeeally want to keep your data secure. It operates AdultFriendFinder, a “sex and swinger community,” and when it suffered a breach in 2016, the response was slow and the press release was tepid. The company affirmed that it “encourages users to change their passwords,” and appeared to put most of the onus on the users, commenting that it would contact users “to provide them with information and guidance on how they can protect themselves.” Seriously?

This press release came after days of speculation, which is actually forever if you are a user of an adult website waiting to find out if your data has been made public.

Equifax: Fail to patch software, take forever to disclose breach, let execs sell their shares

Equifax has one of the shadiest timelines of this group, and competition was stiff here!! After failing to patch a known vulnerability in March 2017 in widely used open source software Apache Struts, the data of 143 million US customers was potentially exposed in May 2017. Then on July 29th, days after the breach was discovered, executives sold off nearly $1.8M worth of Equifax shares. Hmm….this looks bad, but maybe there’s something we don’t know here. (Read: there’s not. It’s bad.)

Ticketmaster: Pretend it’s not happening

Ticketmaster was alerted to a possible breach in April of 2018, but decided to do its best impression of an ostrich and just pretend it wasn’t happening until it received apparently irrefutable (or un-buryable) evidence on June 23rd. Online bank Monzo released a statement shortly afterward saying it spotted the breach in April, but Ticketmaster said nah after an internal investigation revealed no evidence of any such breach.

I’m confused. Are we just letting companies investigate themselves now? This is not how any of this should work. Anywho….

Facebook: Deny deny deny

Facebook didn’t suffer a breach. Instead, it voluntarily gave away a treasure trove of user data and then informed us that we had all agreed to it in the terms and conditions. Whoops – we should have read those, but they’re just so boring, and no one can recall seeing a line item that said “we will give away all your data, suckers, and there’s nothing you can do about it LOL.” I think I would have remembered that…..

To its credit, Facebook did admit that its data had been “improperly shared,” but didn’t go so far as to call it a breach. They didn’t go so far as to call us suckers either, but that doesn’t mean it isn’t true.

Exactis: Leave us all in suspense as if our data’s safety was a plot point in a Mission Impossible movie

None of this is entertaining, you guys. Apparently there is a “database with pretty much every US citizen in it” floating around the internet, according to security experts. That seems pretty bad.

But even worse, the company associated with the breach has stayed silent for days, which is deeply bumming out 230 million of us who would kindly like to know if our personal information is available online.

The bottom line

Data breaches are inevitable. Attackers are targeting companies on a daily basis. But ignoring the fact that a data breach has occurred, failing to patch a known vulnerability, putting the onus of dealing with a breach on users, and – most obviously of all – selling off your stock when you have insider information of a breach doesn’t help anyone. Companies need to be honest when they think a breach has occurred, or they risk losing their customers’ trust. And as our data multiplied exponentially, trust is becoming scarce.