Brian Krebs of reported this week in KrebsonSecurity that he alerted Experian on Dec. 23, 2022, that “identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. “He noted that Experian fixed the problem but failed to inform consumers or authorities of the incident for a month.
Experian's system was exploited by way of an insecure object reference, or IDOR. This information makes it clear that there was simply a lack of application security applied to their web application. This type of vulnerability is extremely easy to discover through automated tools or manual testing. Any company with a simple AppSec (or application security) program should have been able to discover it. This was in no way a sophisticated or complex attack process. There were no major phishing emails with custom malware sent out, and no advanced social engineering attempts were made to bypass multi-factor authentication. The only thing needed to execute this attack were simple tools that come bundled with any operating system.
Sloppy Security Leads to Breach
Experian's 'breach' seems to be yet another tragic tale of a major corporation entrusted with safeguarding people's information that instead chooses to ultimately pass on its responsibility and cut corners. Too many companies see security as a deceleration obstacle or cost center, but basic security hygiene is just as important as standard IT practices in modern business. As a business, you should not be legally allowed to operate if you handle sensitive, private, or other confidential information and do not have security in place.
To further the absurdity of the episode, Experian was tight-lipped about the issue. The fact that they did not disclose the leak but instead silently patched it and prayed for the best is incredibly troubling, considering the sort of information exposed. By not "owning up" and handling the situation as we've seen reputable companies do in the past -- such as, for example, Capital One -- this situation is compounded with concern. It’s hard not to wonder whether there are other information or issues the company knew about that should have been shared with the public. As an organization that holds such a vast amount of private information that impacts the American public, the response so far seems to be nothing more than pathetic.
When such a significant provider of credit information is compromised in such a frivolous way, one can only ask how they will be held accountable. Major legislation should be pushed to hold organizations responsible when the public is left uninformed or deceived about a leak or breach. With users powerless to protect their data, we need significant governmental efforts to punish and reprimand companies that actively mislead victims due to their organization’s own folly. Keep in mind, while we are currently experiencing a dire cybersecurity skills shortage, there are contractors and companies that could assist with the rudimentary and basic testing of applications on all levels of the software security development lifecycle (or SSDLC).
Legislation Aims to Hold High-Risk Systems Accountable
Thankfully, there is at least one piece of legislation out there aiming to address this problem, the "Mind Your Own Business Act of 2021." As the original KrebsOnSecurity article outlined, this bill requires "assessments, periodic reporting, and the development of an opt-out process for specified commercial entities that operate high-risk information systems or automated-decision systems, such as those that use artificial intelligence or machine learning." At a bare minimum, requirements for security testing would benefit all consumers, especially those impacted by negligent leaks and breaches, such as those described above.
Of special interest is the capability of opting out fully from systems like Experian's. The value of true opt-out capabilities seems to be lost on American lawmakers, and thus we do not have nearly the robust level of protection as individuals in Europe. Since GDPR (General Data Protection Regulation) was implemented, some tech companies have attempted to modify their approach in order to continue operating efficiently in the EU. As incidents like Experian's continue to add up by way of comically avoidable vulnerabilities, when will other bills be introduced or passed to protect us as American citizens?
This type of vulnerability could have been discovered by an entry-level application security analyst, an automated tool, or even a simple bug bounty program. OWASP's top 10 has been around for a while now, so none of these anti-patterns are new in our industry. Simply using the web application from a standard browser is the only real tool needed to identify and exploit their application flaw. Combine this with an attacker who possesses simple scripting capabilities, and it becomes even direr. Hundreds of thousands of enumeration requests could be sent with a few lines of code that would result in the exposure of hundreds of thousands of individuals' private information.
Companies need to be held accountable. As is, we are powerless when it comes to how larger companies like Experian directly manage our data. As American citizens, we need to push our representatives to take action and do something to hold them responsible. With breaches and leaks now standard fare in the news, class action lawsuits can only go so far. The development of cyber insurance as a risk-transfer tactic is an industry in and of itself. Thus, there must be a bigger 'stick' that citizens can wield against such pathetic security practices in the current year.
