Latest Blogs

Equifax - A Post Mortem To Beat Any Movie Story

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

The credit monitoring company which managed to lose the financially sensitive information of 143 million of its customers to hackers has just lost Richard Smith (Chairman and Chief Executive) and over the last few years Tony Spinelli who was in charge of Equifax’s security, Steve Van Wieren VP of Data Quality, and several other members of the security team.

The company is currently facing a $Bn payout. There will be more because many senior managers sold their shares apparently before hearing about the hack and before it became public information. Equifax has an interesting business model, it gets data for free from the banks provided by the consumers seeking credit and it then applies Artificial Intelligence to the data and sells the results back to the banks that gave it the data in the first place.


Here is a company that at one time took security seriously and yet managed to get it very wrong on quite a large scale. The ideas are well known, you need to validate the security requirements and then make sure you implement the controls correctly. This is the classic Validation and Verification dilemma. But those controls, it’s not just about buying the right hardware and software it’s also all about the processes and procedures in which people are the main actors.

‘Get the implementation and operations wrong and the hackers will swarm around the honey pot. Unfortunately that’s what happened to Equifax.’

On March 8th the US Department of Homeland Security alerted the company to the need to patch a flaw in the Apache Struts software. This software is a toolkit for creating Java web applications that run on the server. Users can access APIs set up by a REST plug-in. The details are documented elsewhere but in particular this tool allows you to set up an access path for hackers by allowing them to effectively insert commands into the data being accepted by the server, it’s really another example of data injection that became publicly famous with SQL injection as discovered by TalkTalk a few years ago.

Anyway the manager responsible for ensuring the patch was applied apparently slipped up and became the point of blame identified by Richard Smith (CEO). We’ll come back to it but doesn’t this ring as a single point of failure and I can feel the CEO struggling because he of course doesn’t understand this level of detail and relies on others to get it right. This is in my view the major vulnerability today of cyber attacks. The Board of directors are disconnected from the IT teams that design, build and operate the technology and its security.

Having a token CIO on the Board is not necessarily the right answer because the depth and complexity of the IT systems are a company in their own right, arguably they are the company. As the employees of Equifax apparently (jokingly) pointed out the company was just one hack away from bankruptcy.

As we mentioned earlier Equifax seemed to be experiencing a failure to hold key members of the data security team and were in fact working with Mandiant a cyber security firm. They were engaged in March to investigate an earlier breach of security and it appears there was some dispute between the companies that may have allowed the company to take the eye off the ball while the latest attacks were taking place.

Network banner

Equifax have invested $Ms in sophisticated security systems and even had a dedicated operations centre for detecting hacks and for the implementation of anti-intrusion software. However on the day or rather over the last several months this didn’t provide the right response.

‘The important point here is that this is not one person this is a system failure.’

That’s where the problem lies and it’s a fundamental part of designing a security system, you can’t just add on bits when convenient, security is pervasive and has to be built into the foundations of the system. Prevention was the old idea but you cannot prevent the level of sophistication being experienced with cyber-attacks today what is far more important is to detect the attacks in a timely fashion and be able to shut them down.

Security banner

 ‘Modern security is engaged to provide such controls as a fundamental part of the IT platform.’

The trick of course is that you need to be able to detect and recover from something that’s never happened (to you) before. You can actually do this in software you write yourself by using defensive software techniques to always determine whether you are in an allowed state but you have to make sure that you can handle this correctly when using other people’s software as part of your platform.

Dr David Everett
Microexpert – Independent Security Consultants

Founded in 1983

Microexpert has been at the forefront of cryptographic design and development since 1983, having grown organically over the last 30+ years we have consistently supported the industry in delivering the highest quality, and through continuous training and development shaped our team to deliver the best service to our clients.

©2020 Microexpert. Registered number 01755695.