copyright notice
link to the published version: IEEE Computer, May, 2020


accesses since June 1, 2021

THE EQUIFAX HACK REVISITED AND REPURPOSED

Hal Berghel

The recent indictments against Chinese hackers should be seen as political theater. Once again, the Equifax hack rears its ugly head – but this time for a political purpose.


On February 10, 2020 Attorney General William Barr announced the indictment of four Chinese military personnel for hacking into the Equifax servers in 2017. ( https://www.youtube.com/watch?v=IpEuUzMPpxI ) To the uninitiated, the presentation may impart minimal confidence in his Department of Justice (DoJ), but to non-partisan security specialists it will be seen as a purposeless effort to draw attention away from other topics such as the real problems underscored by the Equifax hack and the recent questionable behavior by the Department of Justice. Barr's anti-climactic faux prosecution announcement is taken from the pages of Aldous Huxley and George Orwell. It's falls under the rubric of what I shall call juridical superfluity. Let me explain why I say this.

BACKGROUND

There has never been any serious dispute over the nature of the Equifax hack, and not much dispute over the perpetrators. Bloomberg Businessweek speculated shortly after the hack was announced in 2017 that the hack was likely state-sponsored [RILEY], and the Daily Mail expanded the speculation by accusing China the next day [GRIFFITH]. While Barr gives the impression that the China connection was discovered only through a no-stone-unturned crackerjack investigation by his office, in fact his office's announcement was three years late to the party. The announcement is a rather pedestrian attempt to keep the story alive for reasons that have nothing to do with the crime or injury to victims.

What we know for certain is that Barr and the DoJ decided to actually prosecute four members of the Chinese People's Liberation Army [DOJ1]. Of course the likelihood that these individuals will be arrested, much less prosecuted and convicted, is about as likely as Donald Trump willingly providing his tax returns to the Washington Post. Good luck on serving those arrest warrants. As I've written before in this column, state sponsored hacks not uncommon these days. But as Andy Greenberg has noted such pointless prosecution may lead to tit-for-tat retaliation by those targeted [GREENBERG]. Hopefully, savvy journalists and the public will come to understand Barr's Sinophobic rant for the political hokum that it is. However, Barr is the Attorney General, so his announcement deserves some careful analysis.

The actual indictment [DOJ2] is historically if not judicially interesting. It reports that “on or about May 13, 2018 and continuing through on or about July 30, 2017 members of the People's Liberation Army… conspired with each other to hack into the protected computers of Equifax... to steal sensitive personally identifiable information of 145 million Americans.” The hack took place through the unpatched Apache Struts Server maintained by Equifax. Although the patch for this vulnerability was announced on March 7, 2017 [APACHE], the Equifax IT security team led by CISO with a background in music composition [ARENDS] [SWEET] didn't bother to apply it. In fact, Equifax didn't even announce the hack to the public until early September, six weeks after the incident. [NEWMAN] The fact that hackers accessed the PII of half the US population through a known yet unpatched security vulnerability falls under the rubric of what I label corporate faith-based security. [BERG1]

No purposeless indictment would be complete without primitive visual aids, and this one does not disappoint. Photos of three of the four accused in military uniforms are appended. One may only assume that gratuitous addition of photos to an indictment are intended to provide a dash of extra credibility to an otherwise feckless but formal legal document. Does anyone expect the photos to be prominently displayed on kiosks in theme parks and post offices coast-to-coast? Photos attached to indictments relating to national security offers a new step into future prosecutorial propaganda. I, for one, just can't wait until the DoJ starts making national security indictments a staple on YouTube – the online equivalent of Judge Judy for the national security complex. By way of comparison, one might look to the indictment of the 12 Russian intelligence officers for interfering with the 2016 US presidential election [DOJ4] – no gratuitous media to be found anywhere therein. Could it be that Barr's Department of Justice has an entirely different agenda in the Chinese Equifax case?

Well wonder no more, because it becomes clear in section 5.b. of the indictment. We are informed that Equifax has taken “reasonable measures to keep [their trade secrets] secret…” from others who might seek to exploit their economic value. Just what were these reasonable measures? To answer that, we need to turn to the US Senate Report of the incident which came out in early 2019. [SENATE]

The Senate consensus follows immediately from the title of the Senate report: How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach. We note the difference between the tone of the Senate report and Barr's indictment. What Barr considers “reasonable measures” was deemed “neglected cybersecurity” by the Senate. But it gets worse for Equifax and the indictment hokum as one digs into the report. According to the report,

•  Equifax learned of significant cybersecurity deficiencies in 2015 – two years before the alleged Chinese hack. “[A] 2015 security audit identified more than 8,500 vulnerabilities that Equifax employees failed to address for more than 90 days beyond the recommended patching timeframe” 1,000 of which were rated as critical, high or medium.

•  Equifax lacked a comprehensive information technology asset inventory – specifically, it didn't know whether it was using the Apache Struts software, so it wasn't aware of the need to patch it.

•  Equifax used what internal auditors called an “honor system” for patching vulnerabilities – i.e., it had no formal method for validating successful installation of patches.

•  Equifax did not employ follow-up audits after the 2015 audit to determine whether the vulnerabilities remained

•  The CISO did not regularly attend the “global threats and vulnerability management” meetings where security vulnerabilities (like Apache Struts) were discussed, and Equifax had no policy regarding mandatory attendance.

•  Equifax networked systems were not isolated. The hackers entered the IT infrastructure through Equifax's Online Dispute Portal, but through that accessed other sensitive and unencrypted databases.

•  Equifax failed to adequately enforce SSL certificate management policies

•  Equifax's records retention policy did not include all relevant incident response records as they used instant messaging as their primary communication medium, and these communications were considered ephemeral and not retained.

This is just a partial list of Equifax's security deficiencies, but based on Barr's announcement they qualify as “reasonable measures” to protect sensitive data. We won't even mention that Equifax had no formal policy on disclosure of compromised customer information. It waited 6 weeks to make the public announcement that they had been hacked. Careful reading of the Senate report suggests that the Equifax hack was less of a hack than an illegal intrusion. What Equifax did was create an attractive cyber-nuisance.

Of course, the Equifax post mortem shows that the staff for the most part assumed a CYA stance. To paraphrase, no one could have prevented this as it was the most sophisticated cyberattack imaginable and totally indefensible, yadda yadda. Such claims are typical of embarrassed organizations and should be taken with the proverbial pinch of salt. Equifax didn't know what assets it had, nor what was needed to protect them, the CISO didn't attend the vulnerability management meetings, disparate components of the networked infrastructure weren't properly isolated, it didn't bother to implement certificate management policies, inadequate attention was paid to egress traffic, and the customer data wasn't adequately encrypted – then Chinese stole it. Who'd could have seen that coming, according to Barr? As I've mentioned before [SCDOR], in many ways these cover-your-assets tactics and lame excuses resemble Elisabeth Kubler-Ross's five stages of grief. Equifax had a proven track record of ineptitude when it came to IT security controls and the protection of the data it held. Equifax security policy – and I use this term reluctantly - is analogous to locking your doors but leaving a few windows open. From an IT security point of view none of this qualifies as a reasonable measure to protect sensitive data.

Ultimately the standard barometer for determining the adequacy of security systems is whether they conform to industry best practices. There is no silver bullet to be found. If all of the competition adopts the same or similar information security policy, at least your organization can't be singled out as the lone incompetent player. As it turns out, the Senate report deals with this aspect as well by comparing Equifax's security practices - especially patch policies – with those of TransUnion and Experian, Equifax's closest business competitors. It should come as no surprise that Equifax suffers for the comparison in many ways and at most levels, specifically including ameliorating the Apache Struts vulnerability. It's all to be found in the Senate report and post mortems by security specialists [SANS].

THE REST OF THE STORY

The Senate findings make the Justice Department's indictment all the more curious. Without belaboring the point, a thorough understanding of the Equifax hack naturally suggests questions like:

  1. Why does the indictment's analysis of the hack downplay Equifax's culpability? The indictment seems to suggest that the four accused were super geeks who blazed a path to as yet unimagined hacker triumphs. But the evidence shows that they were primarily exploiting a known vulnerability that one of the credit reporting companies (viz. Equifax) simply chose to ignore. The facts suggest that far from cutting edge cyber aggression, the Equifax hack was more of an exercise in beginning hacking 101.
  2. Given the Senate report (and other responsible accounts from the technical press [SOWELLS][DOVE][SHEPHERD][NEWMAN2][KREBS]), how could Barr and the DOJ expect that the claim that their defense of Equifax's cybersecurity practices be taken seriously? If industry best practices are to be our guide, there was nothing reasonable about it. Amateurish seems to be a better fit. The wording in the indictment suggests that the purpose of the indictment is more theatrical than legal.
  3. Why is the emphasis in the indictment on the harm done to Equifax (and their world-class business practices) rather than that done to Equifax innocent customers whose compromised PII will doubtless lead to decades of future identity theft problems.
  4. What accounts for the timing of this seemingly senseless indictment? Temporally, we know that Barr's press release was the day before he overturned his prosecutor's sentencing recommendation for Roger Stone, and a few days before President Trump went on his latest pardon spree that included Michael Milken, Bernard Kerik, and Rod Blagojevich. The coincidence cannot be overlooked. If the indictment were intuitively justified and made a lot of legal sense, one might be tempted to ignore the coincidence. But in this case, especially given the history of the principals involved, the indictment doesn't pass my smell test. The possibility of a sleight of hand move to distract public attention from attendant thorny political issues seems a likely possibility.
  5. Finally, one has to ask of all the bad actors, which are the most dangerous to the US and its citizens - foreign hackers or incompetent corporations who fail to respect the privacy and PII of their customers' data? There is no question that Equifax has not proven itself to be a responsible steward of the publics personally identifiable information. The total penalty to date, even if we take the higher figure, will serve as no deterrent to future irresponsible corporate behavior. Quite the contrary, it provides just one more moral hazard.

I encourage digital security specialists and investigators to repeat my analysis and derive their own conclusions.

Incidentally, irresponsible behavior is not limited to Equifax's CIO and CISO. According to an indictment by the US District Court for the Northern District of Georgia [BONTHU], after becoming aware of the hack, former Equifax production development manager of software engineering in Equifax' global consumer services division, Sudhakar Bonthu, bought $2,166 worth of out-of-the-money put option contracts for shares of Equifax common stock on September 1, 2017 in anticipation of Equifax disclosure of the breach. The common stock dropped 14% on September 8, 2017, the day following the announcement whereupon Bonthu exercised his options, profiting by $75,168 – a return of 3,500% in six days for his 86 put options. Since Bonthu's trading was based on material nonpublic information entrusted to him by Equifax, the District Court demanded that he forfeit the money with interest, pay a fine of $50,000 and serve eight month's home confinement! [DOJ3] .

Equally interesting to me is that two days after the intrusion was discovered by Equifax, SEC records confirmed that three Equifax executives (chief financial officer, workforce solutions president, and US information solutions president) sold approximately $2 million in Equifax stock from their portfolios. [CNBC][HOLLY] Coincidence? To top that, Rick Smith, the CEO of Equifax at the time of the hack, was subsequently given a $90 million retirement package [WIECZNER]. This is the stuff of which dime store novels on crony capitalism - are made. There is definitely a Quentin Tarantino movie in this somewhere. I propose the following modest titles: Data Dogs or Once Upon a Time with Identity Theft.

So, what was the ultimate cost to Equifax? The actual settlement was somewhere between $700 million and $1.4 billion, depending on how and what you count. [CR][McDonald] However, by all accounts the amount available for victim reparations is $425 million [FTC], and approximately $80 million are provided for attorney's fees with some additional amounts for fines and penalties ( https://www.youtube.com/watch?v=9GZQ1Nh_Rj8 ) . That's right, $3/victim for reparations! The paltry amount allocated to victim indemnification guarantees that on average the victims financial damage will remain uncompensated. But what is worse is that there is an onerous requirement that victims “prove-up” any claimed losses. Proving up requires not only that the victims document damage, but that they also prove that the damage directly resulted from the Equifax incident and cannot have been the result of any other incident or action – an impossible challenge for any individual not currently a member of the country club set. Not surprisingly, I have a suggestion. Since Barr is already in “gratuitous prosecution” mood, I think it only reasonable that he should sue the Chinese government for $150 trillion for victim reparations (that's $100,000 per victim which in my opinion is far more realistic than the $3 that the FTC seeks from Equifax). Of course, that suit would go nowhere either, but it might provide the victims with more consolation than the futile prosecutions of 4 Chinese soldiers. If nothing else is accomplished, it offers better judicial theatrics.

AMERICAN EXEMPTIONALISM

One final thought on how the world might move forward purposefully from the Equifax experience. The Council of Europe adopted its Convention on Cybercrime (aka the Budapest Convention) in 2001 [BUDA]. This convention, and its 2006 extension, mandates that signatory countries pass laws that recognize and prosecute cybercrimes, broadly defined. Specifically, enumerated crimes include illegal access to and use of computing systems and networks, computer-related fraud, violations of copyright, offenses involving child pornography, hate crimes, distribution of racist material, etc. As of February 3, 2020, most members of the Council of Europe (except Russia) have signed the Budapest Convention, and only Sweden and Ireland have failed to ratify. The U.S. and its non-European allies have mostly ratified as well (notable exceptions including Mexico, Brazil, China and India). [SIG185] In 2019 the United Nations began debate of a similar treaty initiated by Russia that included contributions from China, Australia, Canada, Cuba, the UK, Japan and several other allies.[UN] I'm sure you can see where this is headed. Because the initiative was inspired by Russia and China, western corporatists and American exceptionalists are unenthusiastic.

The issue is national sovereignty and corporate interests. The US position has always been strongly myopic, defending against any international judicial effort that might undermine inviolability of US interests. The US also took this stance ten years ago when it opposed a similar UN treaty on cybercrime. [MASTERS] What the U.S. does not want is any international policy that interferes with existing U.S. monopolies in cyberspace and high tech, injects itself into any future tech space that U.S. has carved out for itself, extends international investigatory reach into protected corporate space, undercuts the evidentiary standards currently applied by U.S. courts, etc. This posture is a consequence of the same American exceptionalism that led to the U.S. refusal to support the International Criminal Court and led to the 2002 passage of the “Hague Invasion Act.” The U.S. demand that it be immune from accountability suggests that a more accurate term might be American exemptionalism. As long as such nationalistic attitudes prevail, it will be difficult to get all international prospective criminals to unite behind cybercriminal activity, and a consequence of this will be that the U.S. will remain an attractive target.


REFERENCES {note: all URLs last accessed 2/11/20)

[RILEY] Riley, Michael, Jordan Robertson and Anita Sharpe, The Equifax Hack Has the Hallmarks of State-Sponsored Pros, Bloomberg Businessweek, Sept 29, 2017. ( https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros )

[GRIFFITH] Griffith, Keith, Was it China? Clues point to state sponsorship of massive Equifax hack, 30 September 2017. ( https://www.dailymail.co.uk/news/article-4937010/Clues-suggest-China-suspect-massive-Equifax-hack.html )

[DOJ1] Chinese Military Personnel Charged with Computer Fraud, Economic Espionage and Wire Fraud for Hacking into Credit Reporting Agency Equifax, Department of Justice Office of Public Affairs press release 20-157, February 10, 2020. ( https://www.justice.gov/opa/pr/chinese-military-personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking )

[GREENBERG] Greenberg, Andy, U.S. Indictment of Chinese Hackers Could Be Awkward for the NSA, Wired, 5.19.14. ( https://www.wired.com/2014/05/us-indictments-of-chinese-military-hackers-could-be-awkward-for-nsa/ ) [acc 2/11/20]

[DOJ2] US v. Wu Zhiyong, et al, criminal indictment No. 2:20-CD046, US District Court for the Northern District of Georgia Atlanta Division, January 28, 2020. ( https://www.justice.gov/opa/press-release/file/1246891/download )

[APACHE] The Apache Software Foundation Confirms Equifax Data Breach Due to Failure to Install Patches Provided for Apache® Struts™ Exploit, September 14, 2017. (https://blogs.apache.org/foundation/entry/media-alert-the-apache-software) . See also, Security Bulletin S2-045, Critical Patch for Apache Struts server, re: CVE-2017-5638, Apache, last revised March 19,2017. ( https://cwiki.apache.org/confluence/display/WW/S2-045 )

[NEWMAN] Newman, Lily Hay, All the Ways Equifax Epically Bungled Its Breach Response, Wired, 98.24.17. ( https://www.wired.com/story/equifax-breach-response/ )

[BERG1] Berghel, Hal, Faith-Based Security, Communications of the ACM, 51:4, April 2008, pp. 13-17. ( https://cacm.acm.org/magazines/2008/4/5432-faith-based-security/fulltext )

[ARENDS] Arends, Brett, Equifax hired a music major as chief security officer and she has just retired, MarketWatch, Sept 15, 2017. ( https://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15 ).

[SWEET] Key Equifax executives departing after huge data breach, Associated Press, September 17, 2017. ( https://apnews.com/68e36912eb4047dbbb532192e6648479 )

[DOJ4] US v. Viktor Borisovich Netyksho, et al, Case 1:18-cr-00215-ABJ, US District Court for the District of Columbia, July 13, 2018. ( https://www.justice.gov/file/1080281/download )

[SENATE] How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach, Staff Report (final), Permanent Subcommittee on Investigations, US. Senate, March, 2019 ( https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf )

[SCDOR] Berghel, Hal, The SCDOR Hack: Great Security Theater in Five Stages, Computer, March, 2013, pp. 91-93. ( https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6489958 )

[SANS] Spitzner, Lance, The Congressional Report on Equifax Hack, SANS Security Awareness website, December, 2018. ( https://www.sans.org/security-awareness-training/blog/just-released-congressional-report-equifax-hack )

[SOWELLS] Sowells, Julia, Equifax's Senate Investigation: What Went Wrong?, Hacker Combat, March 9, 2019. ( https://hackercombat.com/equifaxs-senate-investigation-what-went-wrong/ )

[DOVE] Dove, Matthew, Equifax: Senate Goes Once More Into The Breach, The Fintech Times, March 26, 2019. ( https://thefintechtimes.com/equifax-breach-senate/ )

[SHEPHERD] Shepherd, Adam, The Equifax Effect: Explaining the biggest security disaster in the 21 st century, ITPRO, 15 Mar, 2019. ( https://www.itpro.co.uk/security/33242/the-equifax-effect-explaining-the-biggest-security-disaster-of-the-21st-century )

[NEWMAN2] Newman, Lily Hay, The WIRED Guide to Data Breaches, WIRED, 12.07.2018. ( https://www.wired.com/story/wired-guide-to-data-breaches/ )

[KREBS] Krebs, Brian, Ayuds! (Help!) Equifax has my Data!, Krebs on Security, Sep 17, 2020. ( https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/ )

[BONTHU] Securities and Exchange Commission v. Sudhakar Reddy Bonthu, United States District Court for the Northern District of Georgia Atlanta Division, Case 1:18-cv-03114-MLB, June 28, 2018. ( https://www.sec.gov/litigation/complaints/2018/comp-pr2018-115.pdf ) [accessed 2/11/20]

[DOJ3] Former Equifax manager sentenced for insider trading, press release, US Attorney's Office, Northern District of Georgia, October 16, 2018. ( https://www.justice.gov/usao-ndga/pr/former-equifax-manager-sentenced-insider-trading ) [accessed 2/11/20]

[CNBC] Haselton, Todd and Yen Nee Lee, Three Equifax executives sold $2 million worth of shares days after cyberattack, CNBC Tech, Sep 7, 2017. ( https://www.cnbc.com/2017/09/07/equifax-cyberattack-three-executives-sold-shares-worth-nearly-2-million-days-after-data-breach.html )

[HOLLY] Trey Loughran: Equifax President Who Sold EFX Stock on 8/1, Hollywood LA News, September 10, 2017. ( https://www.hollywoodlanews.com/joseph-trey-loughran-equifax/ )

[Wieczner] Wieczner, Jen, Equifax CEO Richard Smith Who Oversaw Breach to Collect $90 Million, Fortune, September 26, 2017. ( https://fortune.com/2017/09/26/equifax-ceo-richard-smith-net-worth/ )

[CR] St. John, Allen, Equifax Settlement: What's In It for Consumers, Consumer Reports, July 22, 2019. ( https://www.consumerreports.org/credit-bureaus/equifax-settlement/ )

[McDonald] McDonald, Robin, Equifax Reaches $1.4B Data Breach Settlement in Consumer Class Action, LAW.COM, July 22, 2019. ( https://www.law.com/nationallawjournal/2019/07/22/equifax-reaches-1-4-billion-data-breach-settlement-in-consumer-class-action/?slreturn=20200202141322 )

[FTC] Equifax Data Breach Settlement, Federal Trade Commission, January 2020. ( https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement )

[BUDA] Budapest Convention on Cybercrime, Council of Europe Treaty No. 185, 2001 ( https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680081561 )

[SIG185] Chart of signatures and ratifications of Treaty 185, Council of Europe, 02/03/2020. ( https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures?p_auth=lm4tVBVh )

[UN] notes from the Open-ended Working Group 73/27 [on cybersecurity], United Nations, December, 2019. ( https://www.un.org/disarmament/open-ended-working-group/ )

[MASTERS] Masters, Greg, Global cybercrime treaty rejected at U.N., SC Magazine, April 23, 2010. ( https://www.scmagazine.com/home/security-news/global-cybercrime-treaty-rejected-at-u-n/