A flaw in Apache Struts framework caused Exposure of Personal Data of 143 million Equifax customers.
Equifax, a credit security agency suffered a massive data breach in July this year in which personal information of about 143 million American consumers was exposed. For this, the firm is also facing a billion dollar lawsuit.
Now, according to findings of the Baird Equity Research Report [PDF], the breach was the result of security vulnerability in the Apache Struts framework, an open source Model-View-Controller (MVC) framework that helps in building Java Web applications. The data exposed in this breach included name, date-of-birth, residential address and Social Security Number.
According to blog post by Jeff Williams, co-founder, and CTO of Contrast Security, the Struts vulnerability can either be CVE-2017-5638 (which was made public back in March 2017) or the recently exposed CVE-2017-9805 but he assumed it to be the former as it is much easier to exploit and his company has observed widespread use of CVE-2017-5638 over the past few months.
Williams noted that as it is the norm, organizations took a long time, well over four months, to learn to deal with the CVE-2017-5638 because even in the leading organizations the gap between identification of a flaw and updating the applications is spread over months. That’s why it isn’t surprising that massive breaches are happening and the leading cause is Web application attacks.
“The *average* Web application or API has 26.7 serious vulnerabilities. That is a staggering, unbelievable number. And organizations often have hundreds, thousands, or even tens of thousands of applications,” wrote Williams.
On the other hand, Rene Gielen, vice president at Apache Struts, states that the team behind Struts induces great effort in “securing and hardening the software” and always try to fix problems as soon as they are identified.
However, Gielen urges that in order to prevent breaches like Equifax it is important for users to be sure about the supporting frameworks and libraries that are embedded in the software products they are using and also to keep themselves updated about the latest security announcements that might affect those products.
Furthermore, users must always update supporting frameworks to ensure that there is speedy security fix in place for the vulnerable products. It is important because a majority of breaches take place because of failure in updating software components that have been identified as vulnerable to exploitation.
In an email conversation with HackRead.com, Alex Smith, Director of Security Products at Intermedia said “While the scale of the Equifax breach doesn’t reach the heights of some previous breaches, such as Yahoo, it is by far the most invasive when you look at all the sensitive personal data accessed. Impacting 143 million consumers touches well over 50 percent of American’s that rely on bank loans and credit scoring.
This latest breach could have wide-reaching implications for how Americans identify themselves in the future, such as when applying for banking and credit services – simply knowing a name, date of birth, address and social security number shouldn’t ever be enough. This breach could finally be the security wakeup call the US needs to widely adopt digital identity tokens, and potentially a digital national identity scheme similar to other countries such as Belgium.”
