Unraveling a Cyber Nightmare — the Massive Equifax data breach

4 min readJul 14, 2018

Editor’s note: In a nation, where our credit history plays a vital role in gauging our financial stability, we provide our sensitive information to the bureaus with the belief that our data is secure. But, what if all our reports were laid out in public and our identities got stolen? In this blog post, Michael Korens, Vivian Ngyuen, Tien Tran, Stuardo Reyes and Huy Nguyen describe one of the biggest data breaches in 2017 and its implications.

Equifax Data Breach

In May 2017, Equifax, one of the three major consumer credit reporting agencies, suffered a massive data breach. The attack on the company represents one of the largest risks to personally sensitive information in recent years, and is the third major cybersecurity threat for the agency since 2015.

What is Equifax?

Equifax is a credit reporting agency which collects college consumers’ information from banks and they come up with a credit score. Equifax stores consumers’ sensitive information like SSN, DL, Bank account details, and so on. When a consumer wants to apply a loan for a house, a car, a credit card, or a personal loan from a bank, the lender (bank) requests consumer information from companies like Equifax (the other two big credit reporting agencies are Experian and TransUnion). Equifax then sends the credit report and credit score of the consumer to the lender. Based on the information received, the lender processes and decides whether the consumer is eligible for a loan or not and also decides the interest rate.

What Software does Equifax use?

Equifax uses Apache Struts which is a free, open-source framework for creating web applications using Java. Apache Struts provided the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architect with plugins to support REST, AJAX and JSON.

How did it become a problem?

On March 9, 2017, Apache Struts became aware of a critical remote code execution exploit in their system and had a patch released for it as soon as possible. Apache Struts along with several other people, warned several companies about the exploit in their system and urged these companies to update their system. However, Equifax did not update which meant that they had a security vulnerability in their system.

The security exploit derived from a parser within Apache Struts that is responsible for analysing a string of symbols. The parser had an incorrect exception handling and error-message generation during file-upload attempts, which allowed remote attackers to execute arbitrary commands. The hackers were able to launch arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, with a Content-Type header containing a #cmd= string. In other words, they were able to launch a remote code execution that granted them access to the Apache Struts database which contained highly sensitive information about millions of people.

Equifax was breached in May with 146.5 million personal information stolen which included names, addresses, social securities, payment cards, passports, driver licenses, and more. Highly sensitive information stolen because of Equifax’s negligence for security.

What could have been done?

The breach could have been prevented; it was caused by outdated security. Now in this day and age, there are many security tools that help to protect against remote code execution breaches. Yet, the simplest solution would have been to update their software as soon as possible.

Another solution could have been to perform defensive penetration testing at scheduled times to reveal the loopholes or vulnerabilities within their system. Machine Learning tools like TensorFlow could have been leveraged to monitor ongoing traffic to reveal potential malicious bad actors and possibly revealing the attacks sooner; preventing a big data breach with a big improvement in their security. Others may argue that even if Equifax had updated their systems, nothing would have prevented an attack from a persistent hacker and their malicious intents.

The Aftermath

On March 14, 2018, Jun Ying, a former Equifax executive, was charged with insider trading after he sold nearly $1 million dollars worth of shares in the credit agency before the company announced a huge data breach. He sold 6,800 EFX shares after the breach was discovered, yet before the breach was published. It is an illegal trading base on insider information.

Richard Smith, who served as the CEO of the Equifax board, resigned as a result of the breach. Even though he did not receive a “package” to retire, and he did not receive severance pay, he still walked away with $18.3 million in pension benefits. Under the company’s pension plan, he was entitled to that pension under any circumstance. Smith blamed it all on a single person who failed to deploy a patch. He said the individual, who was responsible for communicating with the organization to apply the patch, did not do his job. Though this is the largest data breach in American history, the CEO’s claim showed poor security practices and the reliance on one person for a mission-critical function is not a “human error,” It’s a process failure.

Equifax’s breach should teach us all to be careful with our systems and not neglect software updates. They can mean the difference between staying secure, and getting hacked. Equifax’s negligence to update their software shows the worst case scenario that could happen to someone if they do not value their security. A lesson that to be learnt here is that, we need to be careful about our negligence towards security, otherwise hackers could misuse your social security number and identity!