Two out of the big three US credit bureaus, Experian and Equifax, have experienced a significant breach of consumer data in the last two years. On September 2015, Experian reported a breach[1] in which more than 15 million consumer records containing critical information including addresses, Social Security numbers, dates of birth. More recently, Equifax suffered a breach of more than 143 million consumer records including names, Social Security numbers, credit card numbers, and personal documents.[2]
The full extent of the damage done to corporations by hackers is difficult to estimate, though Experian stock fell 13% in after-hours trading as the news of the breach broke.[3] While shareholders have seen $3.46 billion in value evaporate since the breach,[4] the full collateral damage fallout from the attack is far from being realized.
Most news coverage will carefully follow the direct cost to Equifax. Early analyst estimates for Equifax’s exposure are coming in at around $238.3 million – a material cost, but manageable over the long term. The real costs will be collateral damage fallout. As soon as the Equifax news broke, for instance, Experian share prices took a sizable hit, down 1.3% and 4% respectively.
Beyond the woes of Experian and their investors, the 143 million US consumers whose sensitive data Equifax gathers and mines as its bread and butter will have significant collateral damage fallout. Such potential fallout goes well beyond what Experian’s offer for 1-year free credit monitoring can address.
However, what few news stories will follow will be the collateral damage fallout should the Equifax breach technology be widely publicized. If, as reported by Equifax, the exploited vulnerability was with the Struts framework used for Java programming, then the Equifax breach may just be the tip of the iceberg. According to a recent security report,[5] 65% of Fortune 100 companies are currently using web applications built upon the framework. Moreover, half of all websites are written in Java, with a whopping 97% of them sporting at least one known vulnerability.[6]
The Struts bug, now known as CVE-2017-9805, potentially allows REST plugins to accept malicious code from user input. If delivered properly, the malicious code will then be executed when Struts converts it for use by Java. The Struts bug is particularly dangerous because it can provide direct access to the web server. From there, attackers can steal critical data, delete important documents, or launch a ransomware attack.
The collateral damage fallout of the Experian breach has not even yet begun to be realized. According to the researchers, a publically available exploit for the Struts bug is not yet available, “but it is likely that there will be one soon.” When that day comes, anticipate your personal information to be available to anyone, anywhere. Moreover, as your personal information is made more freely available, anticipate more aggressive competition among those who try to profit from your information through more frequent and more believable personalized scams.
The best way for organizations to understand if they are vulnerable to a Struts bug attack is through enterprise threat modeling with ThreatModeler™. ThreatModeler allows users to understand their threats across their entire DevOps portfolio, as well as any downstream impacts, at the click of a button. Unlike other threat modeling tools on the market, ThreatModeler is the only architecturally-based solution – allowing users to quickly determine threats and impacts from application interactions, shared components, and 3rd party systems.
Learn how to avoid collateral damage fallout by understanding your comprehensive threat posture by clicking here to schedule a live ThreatModeler presentation.
[1] Legree, John. “T-Mobile CEO on Experian’s Data Breach.” T-Mobile: Bonn, Germany. October 8, 2015.
[2] Kane, Libby. “The Equifax breach of up to 143 million accounts exposed the ‘crown jewels’ for fraudsters.” Business Insider. Business Insider, Inc: New York. September 8, 2017.
[3] “Equifax Data Breach: Stock Price Falls as Criticism Mounts.” Reuters. Fortune Magazine. Fortune: New York. September 8, 2017.
[4] Kilgore, Tomi. “Equifax’s data breach costs investors a lot more than it will cost the company.” MarketWatch. MarketWatch, Inc: San Francisco. September 11, 2017.
[5] Collins, Keith. “Researchers just discovered a bug that has made Fortune 100 companies vulnerable to simple hacks since 2008.” Quartz. Quartz: New York. September 5, 2017.
[6] Zoragedian, John. “Don’t Get Zapped by the Struts-Shock Vulnerability Affecting Apache Struts 2.” VeraCode. CA Technologies: Burlington. March 9, 2017.
