Equifax was just as much of a trash-fire as it looked: the company saw the Apache Struts 2 vulnerability warning, failed to patch its systems, and held back a public announcement for weeks for fear of “copycat” attacks.
Those Infosec for Absolute Dummies tips were made official by ex-CEO Richard Smith, by way of evidence published by a US House committee ahead of his in-person appearance Tuesday.
Smith's written statement [PDF] to the House Committee on Energy and Commerce says the company received the US CERT's advisory for CVE-2017-5638 on March 8, and IT was told to patch it in accordance with the company's policy of patching within 48 hours of notifications.
That didn't happen: “We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched”.
"On March 15," Smith's testimony continues, "Equifax’s information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue identified by U.S. CERT. Unfortunately, however, the scans did not identify the Apache Struts vulnerability."
Just why Equifax couldn't find vulnerable Struts implementations remains the subject of ongoing investigations.
For a while, Equifax was lucky, and nobody noticed its exposed systems, but in July, that changed, when the company (finally) identified suspicious activity.
“On July 29, however, Equifax’s security department observed suspicious network traffic associated with the consumer dispute website”, Smith's statement says, and investigation suggests its systems were first compromised as early as May 13, giving attackers plenty of time to pull down customer records.
From July 29, when Equifax IT first spotted the activity, it took more than two weeks for consultants from Mandiant to determine that personally identifiable information was accessed in the breach.
Smith justifies the company's much-criticised delay announcing the breach on the grounds that a disclosure might have seen crims pile on with multiple attacks.
“A mounting concern also was that when any notification is made, the experts informed us that we had to prepare our network for exponentially more attacks after the notification, because a notification would provoke 'copycat' attempts and other criminal activity.”
Smith fell on his sword last week, with Paulino do Rego Barros Jr sitting in as interim CEO while the company searches for a replacement willing to take on the task of extracting it from a deep, dark, hole.
Euqifax has also confirmed that an extra 2.5 million Americans had their data stolen in the attack, bringing the total to 145.5 million. ®