Last week, consumer credit reporting agency Equifax reported a massive breach in security with reportedly one hundred and forty three million americans being affected. The independent cybersecurity firm working with Equifax to unravel the vulnerabilities that led to the data breach has identified similar loopholes in Equifax’s Argentina website too.
Hold Security, a leading independent cybersecurity firm which is working with Equifax to identify the gaps and plug them, so that repeat episodes of the last week do not occur again, had identified the breach in their US website to be the Apache Struts CVE-2017-5638.
The breach which can lead to the misuse of such highly sensitive financial data can cause havoc for those affected.
What is Apache Struts?
Apache Struts is an open source framework for developing Java based applications that run both the front end as well as back end web servers. Financial institutions are extremely heavy users of this framework.
The Argentine Episode
Hold Security conducted investigations into Equifax's south American operations too as the US leak came to light.
Brian Kerbs, as per the information shared with him by Alex Holden, researcher at Hold Security states that hacking into Equifax's Argentina website was as simple as boiling an egg. He says that it was extremely easy to get into an employee portal to manage credit disputes and then access sensitive customer information.
This very portal had extremely generic security credentials in the username being 'admin’ and even the password was set as 'admin’. So, it didn't really need a wiz kid to crack this set of credentials.
On further investigation, the researchers at Hold Security discovered that most of the personally identifiable employee information such as employee names, their employee IDs as well as emails were all exposed without any safeguard in place.
Brian Kerbs also states that the website's user names were on display in plain text. The passwords, even though not in plain text, did not entail the requirement of a hacking genius to expose them. All that had to be done to expose the passwords was right click on any of the passwords and then looking them up in the website’s source code.
What did come as a surprise to him was that the user names and their respective passwords were, in most of the cases just the employee's last name. The researchers also unearthed that anyone with admin access to that portal had the power or ability to add, modify as well as delete the employee details.
Accessing the credit management portal, the researchers were also able to gain easy access into consumer’s complaint records on the website itself. This portion of the website also contained the Argentine version of the US’ social security number as well as P II. One cannot strive to be any more careless with the secure storage of the P II details.
The Good News
The positive takeaway from this fiasco is that the world and Equifax's customers can heave a sigh of relief as Equifax shut the website down as soon as they were made aware of the gaping holes in their system.