This is based on a report from Baird Equity Research.
Some key items from that report:
* "Our understanding is data retained by EFX primarily generated through consumer interactions was breached via the Apache Struts flaw (i.e., core databases not believed to have been breached)."
* "Key EFX databases are not known to have been breached as part of the incident, including the consumer credit file, TWN, NCTUE, IXI, or its commercial credit database. Our understanding is that data entered (and retained) through consumer portals/interactions (consumers inquiring about their credit reports, disputes, etc.) and data around it was breached via the Apache Struts flaw."
* "the breach is believed to have occurred from mid-May through July" and was discovered on July 29.
It's not clear whether this is referring to the Struts problem just announced or if it's the Struts problem earlier in the year, but if it's the just-announced one then it means that someone was actively exploiting it in the wild since at least May of this year. The timeframe would fit better for the early-2017 vulnerability [1] which was apparently also being exploited in the wild in March.
Obviously if they had enough access to the system it would be possible to connect through to the databases being accessed, but if this was all scraping of data passing through rather than at-rest then it may also indicate a lot more sophistication in the attack - unless there's a small number of points where the attackers could copy out data, this likely required a fair amount of analysis of Equifax's code to shim things in and grab data without breaking things.
The other interesting question is more along the lines of "If you haven't interacted with Equifax and haven't applied for anything involving credit, does that lessen the risk that you're impacted?"
I find it curious how one can implant code like this into existing codebases. It takes us a while to code review and deploy, and when we deploy we overwrite what's already on production
I would guess that you have any sort of credit history or digital financial trail, companies are sending it to Equifax. Could be something as simple as a cell phone service.
Some key items from that report:
* "Our understanding is data retained by EFX primarily generated through consumer interactions was breached via the Apache Struts flaw (i.e., core databases not believed to have been breached)."
* "Key EFX databases are not known to have been breached as part of the incident, including the consumer credit file, TWN, NCTUE, IXI, or its commercial credit database. Our understanding is that data entered (and retained) through consumer portals/interactions (consumers inquiring about their credit reports, disputes, etc.) and data around it was breached via the Apache Struts flaw."
* "the breach is believed to have occurred from mid-May through July" and was discovered on July 29.
It's not clear whether this is referring to the Struts problem just announced or if it's the Struts problem earlier in the year, but if it's the just-announced one then it means that someone was actively exploiting it in the wild since at least May of this year. The timeframe would fit better for the early-2017 vulnerability [1] which was apparently also being exploited in the wild in March.
Obviously if they had enough access to the system it would be possible to connect through to the databases being accessed, but if this was all scraping of data passing through rather than at-rest then it may also indicate a lot more sophistication in the attack - unless there's a small number of points where the attackers could copy out data, this likely required a fair amount of analysis of Equifax's code to shim things in and grab data without breaking things.
The other interesting question is more along the lines of "If you haven't interacted with Equifax and haven't applied for anything involving credit, does that lessen the risk that you're impacted?"
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638 (Apache Struts Jakarta Multipart Parser file upload vulnerability for RCE)