FTC Opens Probe into Equifax Data Breach

Apache Struts flaw was known to be critical and should have been addressed, security researchers say.

The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack.
Meanwhile, Equifax share prices continued to plummet this week - now 35% lower than before the breach - in an ominous sign of the breachs potential finanical devastation to the credit-monitoring firm.
In a statement to Dark Reading, an FTC spokesperson confirmed reports about the agency opening an Equifax breach investigation.
The FTC typically does not comment on ongoing investigations, the spokesperson said. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.
Separately, the FTC Thursday also issued an
alert
, warning consumers of potential phishing scams related to the Equifax breach.
Equifax last week announced that intruders had
broken into its systems
between May and July this year and accessed Social Security Numbers, birthdates, and other sensitive data on 143 million US consumers. On Sept. 13, the company
identified
the vulnerability that enabled the intrusion as Apache Struts
CVE-2017-5638
, a flaw that was disclosed in March this year and which many believe Equifax should have addressed.
This vulnerability was scored CVSS 10/10 – the highest rating, says Jeff Williams, co-founder and CTO at Contrast Security. Within hours of the disclosure, we started seeing widespread automated attacks attempting to exploit this vulnerability. Those attacks are still ongoing, says Williams who earlier this year discovered and reported another Apache Struts flaw.
Williams describes the flaw that felled Equifax as giving attackers a way to take over an entire Web host with a single HTTP request. Essentially, an attacker could send a single HTTP request – just like the ones your browser sends – except with a specially crafted header that contains the attack.
Flaws such as these are disclosed many times a year and require organizations to have processes in place to monitor for and replace libraries as vulnerabilities are disclosed. Ensuring that you dont use libraries with known vulnerabilities has been in the OWASP Top 10 since 2009, he says.
Implementing the advice can be challenging, especially in large organizations such as Equifax, and can often require rewriting, retesting, and redeploying an application, Williams concedes. Even so, organizations absolutely need to have processes to ensure they dont use vulnerable libraries, he says.
Updates to Apache Struts require more of a migration than the sort of in-place patching associated with the majority of updates, adds Michael Veenstra, Web researcher at SiteLock. The effort could require a nontrivial amount of testing and development time to ensure existing applications functioned properly following the upgrade, he says.
In this case, however, there were intermediate workarounds suggested by the Apache Struts documentation that would have been significantly easier to implement in the short-term and given Equifax the time it needed to replace the vulnerable libraries.
Web access firewall rules could also have been put in place to identify attempts to exploit this vulnerability without affecting the performance of unrelated systems, Veenstra notes. This flaw was definitely not one to ignore. Anyone running vulnerable versions of Struts should have made this an immediate, critical priority.
Adding to the growing feeling that Equifaxs security practices may have been subpar were reports this week that the company had used a default admin username and password combination to protect an employee portal in Argentina.
Security blogger
Brian Krebs
described the portal, which has now been taken down, as something that was being used to handle consumer disputes over credit reports. Anyone that had access to the portal could view sensitive personal data of more than 100 Equifax employees in Argentina and some 14,000 records containing similar information on consumers who had disputes with the company.
Intrusions such as the one at Equifax, and the companys failure to detect it for more than two months, typically are used as examples of why organizations need to monitor their network activity more closely. But that alone is not enough, Veenstra says. Given the more than two-month window that the attackers had in this instance, it is hard to determine the rate at which they were exfiltrating data, he says.
Its entirely possible that the adversary was carefully throttling the rate at which the data was being pulled. This can serve to reduce how noisy the activity is on a target network, he notes. Such attacks really demonstrate is the need for multiple layers of security, he says.
Intrusion detection systems (IDS), for instance, should be put in place to identify when Web services are executing unusual system-level commands and Web application firewalls for monitoring for indications of attack. Interactions between Web services and sensitive databases need to be logged and monitored closely with transactions being directly connected to the activities requesting them. Internal systems also need to be separated to the extent possible to restrict attackers from moving around.
Identifying suspicious requests early could have been the difference between thousands of victims and millions, Veenstra says.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity
agenda here
.
Related Content:
Equifax Data Breach Prompts Calls For Tougher Security Requirements On Data Aggregators
Equifax Gets Slammed, Removes Forced Arbitration Clause from Credit Monitoring Offe
r
Experian Gets Hacked, Exposing SSNs, Data from 15 Million T-Mobile Customers
7 Takeaways From The Equifax Data Breach

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
FTC Opens Probe into Equifax Data Breach