Oh dear. Firm was apparently warned about website vulnerability, months before devastating data breach
Equifax could be in even more trouble after it was reported that a security researcher had warned the firm about its vulnerability to a cyberattack six months before it suffered a breach.
Its fallout has triggered multiple investigations across the world, and the credit monitoring firm has been hauled up before the US Congress, where former CEO Richard Smith faced a serious grilling from US Senators.
But now it has been reported that Equifax had been warned six months before it was attacked about its vulnerability.
A security researcher spoke to Motherboard this week, and it reviewed the evidence that the researcher had found months before the attack.
The researcher in question has not been publicly named “out of professional concerns”, but Motherboard said that the researcher had begun scanning the company’s public facing infrastructure in December.
This researcher couldn’t believe it when one particular Equifax website he found he was able to access access the personal data of millions upon millions of Americans (names, dates of birth, social security numbers etc).
The website in question apparently looked like a portal made only for employees, but was completely exposed to anyone on the internet.
It displayed several search fields, and anyone with no authentication could force the site to display the personal data of Equifax’s customers, the researcher reportedly said.
Motherboard said it had viewed multiple sets of the data the researcher was able to access.
Indeed, the researcher was apparently able to download the data of hundreds of thousands of Americans in order to show Equifax the vulnerabilities within its systems.
The researcher then notified the company of the flaw, but Equifax failed to act on the warning.
“I didn’t have to do anything fancy,” the researcher told Motherboard, explaining that the site was vulnerable to a basic “forced browsing” bug.
“All you had to do was put in a search term and get millions of results, just instantly – in cleartext, through a web app,” the researcher reportedly said. “I’ve seen a lot of bad things, but not this bad.”
“I couldn’t believe it, it was shocking,” the researcher reportedly said. “It was just disgusting to see them take this long to do anything about it.”
The publication said that this raised the question that more than one group of hackers broke into the company, and raises fresh questions about Equifax’s security practices.
This unnamed researcher was also able to take control on several Equifax servers, and found several others vulnerable to simple bugs such as SQL injection.
The researcher also found that many Equifax servers were running outdated software.
“It should’ve been fixed the moment it was found. It would have taken them five minutes, they could’ve just taken the site down,” the researcher told Motherboard. “In this case it was just ‘please take this site down, make it not public.’ That’s all they needed to do.”
According to the researcher, Equifax didn’t take the site down until June.
The data breach at Equifax took place between mid-May through July 2017.
Equifax reportedly responded to Motherboard with the following statement.
“As a matter of policy, Equifax does not comment publicly on internal security operations. However, as our former CEO recently testified to Congress, Equifax has in the past conducted thorough security reviews using expert external review teams,” the statement read. “He further testified that Equifax expended significant resources to install industry standard cybersecurity defenses and put in place processes to address vulnerabilities. Since the recent breach, additional remediation steps have been taken. It is incorrect to suggest reports were ignored.”
It is worth remembering that Equifax has been hacked before.
In 2013 it (along with Experian and TransUnion) the firm admitted that financial files of four high-profile individuals had been compromised.
Do you know all about security in 2017? Try our quiz!