Struts, Equifax and China

And I’ll be taking care of business (every day). Taking care of business (every way). I’ve been taking care of business (it’s all mine). Taking care of business and working overtime, work out.

A familiar song for those of us that have been around the planet for a few years.

This post is a bit of a departure from the RV world although I often chat with fellow RVers about how they can protect their data when they are travelling. Sadly between corporations, governments and criminals, there is little we can do to fully secure our personal information.

Equifax is one example of a company that wasn’t taking care of business.

I remember when the Equifax breach first occurred. I was a Chief Information Officer (CIO) for a large insurance company in Canada. We had been advised of a critical bug in an open source web development platform called Apache Struts. That notice was made back in March of 2017. The bug could allow a hacker to exploit the Struts flaw and gain access into our systems. The bug is listed on the National Vulnerability Database as CVE-2017-5638.

Critical bugs should be patched immediately.

Equifax did not patch immediately.

Attackers hacked into their systems in Mid-May, more than two months after the notice from Apache had been issued. Equifax reported the breach on September 7, 2017. The breach, data on roughly 150 million customers, is one of the largest in history.

Equifax fired their CIO, David Webb shortly after the announcement. They also fired their chief security officer, Susan Maudlin, although this might be why: Equifax hired a music major as chief security officer. Jun Sing was next in line to be Equifax’s global CIO. He was charged with insider trading ahead of Equifax’s disclosure of a massive data breach. He sold all of his stock options before the announcement. Ying was sentenced to four months in federal prison.

Something odd about the management culture at Equifax.

The U.S. Department of Justice issued this press release and it makes the breach even more disturbing.

A federal grand jury in Atlanta returned an indictment last week charging four members of the Chinese People’s Liberation Army (PLA) with hacking into the computer systems of the credit reporting agency Equifax and stealing Americans’ personal data and Equifax’s valuable trade secrets.

The nine-count indictment alleges that Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei were members of the PLA’s 54th Research Institute, a component of the Chinese military. They allegedly conspired with each other to hack into Equifax’s computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of approximately 145 million American victims.

“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William P. Barr, who made the announcement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”

Many companies, like Equifax, do not take care of business. China and other state-sponsored hackers are taking advantage although China is the most troublesome with a long history of cyber-attacks. Here is a list of significant cyber attacks on government agencies and companies.

That list is quite disturbing.