Unchecked Vulnerability Leaks Information on Millions

The headline was almost too big to believe. On Sept 7, The New York Times announced, “Equifax Says Cyberattack May Have Affected 143 Million in the U.S.” This meant that personal credentials, like Security numbers and other data, for almost half the population of the United States was leaked to hackers. The Verge added, “It has been marked as the worst data breach in US history.”

As the picture becomes clearer, the issue at stake was a vulnerability in one of the plugins in the Apache Struts framework. Former Equifax CEO Richard Smith said. “It was this unpatched vulnerability that allowed hackers to access personal identifying information.”

This week, in Congressional testimony, The Guardian reported, “It’s like the guards at Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults,” Greg Walden, the chairman of the House energy and commerce committee, told Smith. “How does this happen when so much is at stake?” Walden said. “I don’t think we can pass a law that fixes stupid.”

The question arises, if Equifax had an AI-powered analytics solution that tracked anomalies in real time,  would this have surfaced the hack immediately, giving the company plenty of time to respond, and thwart any damage?

What happened with Equifax?

Equifax is one of the three major consumer credit reporting agencies. The company reported on September 7th that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers, posing serious repercussions for identity theft.

Dan Goodin reported in Ars Technica “The breach Equifax reported Thursday, however, very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be.”

While still unclear who was behind the attack, with some conjecturing that this was a state-sponsored attack, the data could now be in the hands of hostile governments, criminal gangs, or both and will stay there indefinitely. This leaves over half the population of the US’s vital identifying information exposed.

Even worse, while the leak occurred in the spring, the company only went public in September. “The fallout has been swift, with government agencies looking into the incident, class action lawsuits being filed, and consumers demanding free credit freezes.”

Why did so much personal data get leaked from Equifax?

Cybercriminals exploited a security flaw on the Equifax website. Brian Krebs reported on KrebsonSecurity how the criminals did it. “It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

Looking deeper into the hack, Blogger and admin for SPUZ said, “I asked the hackers one last request before disconnecting. I asked, “How did you manage to get the passwords to some of the databases?” Surely the panels had really bad security but what about the other sections to them? Surely there was encrypted data stored within these large archives no? Yes. There was. But guess where they decided to keep the private keys? Embedded within the panels themselves.”

Equifax has confirmed that a web server vulnerability in Apache Struts that it failed to patch months ago was to blame for the data breach.

DZone explains how this framework functions. “The Struts framework is typically used to implement HTTP APIs, either supporting RESTful-type APIs or supporting dynamic server-side HTML UI generation. The flaw occurred in the way Struts maps submitted HTML forms to Struts-based, server-side actions/endpoint controllers. These key/value string pairs are mapped Java objects using the OGNL Jakarta framework, which is a dependent library used by the Struts framework. OGNL is a reflection-based library that allows Java objects to be manipulated using string commands.”

How could AI-powered Analytics have made an impact?

This situation could have been reacted to much faster had the right real-time business intelligence services been integrated into their systems.

Approaches like this, such as Anodot’s AI-powered Analytics solution, correlate a company’s raw data to quickly identify anomalous behavior and discover suspicious events in real time, before they become crises. Once an issue is detected technical teams are alerted, so they can resolve issues before they unravel.

Companies need to know what their data can tell them right away in order to fix costly problems. Working at the scale of actively monitoring thousands or even millions of metrics, you need an AI-powered analytics solution, with automated real time anomaly detection.

Had Anodot’s AI-powered analytics been in place, it could have tracked the number of API Get Requests for user data, and noticed an anomalous spike in requests, catching the breach instantly, regardless of the existing vulnerabilities.

Written by Anodot

Anodot is the leader in Autonomous Business Monitoring. Data-driven companies use Anodot's machine learning platform to detect business incidents in real time, helping slash time to detection by as much as 80 percent and reduce alert noise by as much as 95 percent. Thus far, Anodot has helped customers reclaim millions in time and revenue.

alert decoration image

What can Autonomous Business Monitoring do for you?

Book a discovery call. It’s short and painless, and a quick way to see what we've done for businesses like yours.