Slashdot Mirror
Equifax Blames Open-Source Software For Its Record-Breaking Security Breach (zdnet.com)
The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.
Always blames his tools.
There is always a lil' open source resource to blame on...
How the product is licensed doesn't affect the quality of the software.
If the software is of significant complexity, then chances are flaws will be there, and often just like commercial licences software a flaw can be overlooked by many eyes, until the flaw is found.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
...a downlevel WebSphere server with an unpatched critical vulnerability. Now, granted, this is rumor. Can anyone confirm or disprove?
Finding God in a Dog
Keeps using a chisel with chipped blade and a loose handle.
Comment removed based on user account deletion
Use of Java Struts makes me think Equifax outsourced/offshored their IT a long time ago. Struts has always been a poorly conceived mess.
They have NO ONE to blame but themselves, it is OPEN SOURCE which means they can actually review the code and fix issue.
What you can't believe software that happens to be released with an Open Source license could have a security vulnerability.
Granted I expect the flaw is more then just a flaw in the software, but poor network design, excessive trust in the application and/or poor implementation.
But people who just scoff at the idea that Open Source is this just ultra secure system, will often implement it in a poor manor making it vulnerable. Because of a zealot faith in the holy license.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
>Model-View-Controller (MVC) framework for Java
There's your problem right there.
Security demands simplicity.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
When I had to change my password for a credit card website, I got prompted for my full Social Security number. When I called up customer service, the rep was disturbed that I had to enter my Social Security number into the website. A supervisor got looped into the call and informed us that, yes, you need to put your in full Social Security number on the website to reset your password. A password reset over the phone require confirmation of my street address and the last four numbers of my Social Security number. Go figure...
I think that if we've learned anything from this incident, it is that Equifax is a competent, professional organization that prides itself on its honesty and transparency, and that they are tirelessly acting in the best interests of the general public.
Obliteracy: Words with explosions
Doing business of any kind, online, is inherently insecure. There's a lot of risk for consumers, and a lot of expense for businesses to stay as secure as possible (which isn't very). Sucks for people who need a credit score.
I don't respond to AC's.
>> is it the fault of Struts developers or Equifax's developers, system admins, and their management?
None of the above. It's the officers on the corporate board, who demanded "cheaper" rather than "secure." The managers who carried out their demands (putting emphasis on cheap contractors vs. quality work and investment in patching dependencies) were just doing their jobs, the sysadmins really don't have much to do with it (if you know how Struts works) and the developers are pretty blameless because their either do what management told them or not eat.
you are not allowed to place any blame on it
Yup, I went to the site and it asked for name and last 6, and I was like "GTFO"... Are you kidding me? How can these imbeciles NOT know that this looks like a classic phishing site.
You hire a liberal arts music major as head of security to fill a gender diversity quota, and then you're surprised by this?
Who approved and set up that software? You didn't patch struts? They were forthcoming with that info.
Seems to me, Equifax is! as are all the credit collection businesses. Professional Extortion artists! They collect data on everyone. Then sell access to that information to the financial industry (Credit Checks). And if you want to protect yourself you are supposed to pay them to protect (Lock) your credit history.
They do not care about spending money to protect the information they have data mined.
Open source is better, if you use it right! And put the time in to do "YOUR" due diligence! They did not! They got hacked! It took them weeks to even realize it! And weeks before they came clean.
I'm just wanting to know if a lawsuit against these criminals is possible?
You have to assume your servers will get hacked. It doesn't matter what software you're running. Someone will find a way in. Any competent developer starts with that assumption and designs around it. That's why you never ever EVER store sensitive data unencrypted! They're looking for someone to blame for their incompetence.
"I'm too busy to research this and form an educated opinion, but I do have time to tell everyone my uninformed opinion."
I said
credit collection businesses
I should have said
credit reporting businesses
Well they're entitled to ask for a full refund of whatever they paid for it.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
This is only hear-say. It was never confirmed by Equifax or FireEye.
The point of open source isn't, "free software you don't have to pay anyone to develop!" but rather, it's software that you can audit and don't have to take anyone's word that it does what they claim. Honestly, when your data is both highly valuable and sensitive you should at the very least hire another company to review the source code.
Anons need not reply. Questions end with a question mark.
No complex software is without bugs, no complex software is completely secure. I'm a big open source fan but this is reality. Open or closed, there will be bugs and exploits. Subjectively, it seems open source may get fixed more quickly, but that doesn't change the bottom line, which is that the onus is on the company.
Equifax stores tons of sensitive information and it's up to them to protect it properly. No excuses, no finger pointing, no passing the blame. They are responsible, period.
Maybe it was global warming. Or Trump.
The dirt bag executives that sold shares and profited should be burned at the stake.
Last I checked, nobody was holding a gun to my head to make me use Open Source Software.
Blame the guy that passes the buck, it's probably his fault.
Why would you assume that they're using software written this decade? I think it's equally plausible that a good chunk of their components are from the mid 2000s and utterly riddled with security holes, but no PM will let the devs update anything because "if it works, leave it alone". Never mind that it doesn't actually work - that's someone else's problem, obviously.
It is apparent that Equifax couldn't give a flying fuck about security. I think it's ludicrous to debate whether the problem is with a bug revealed in March or September, when I think it's equally likely to be older than my kids.
Dewey, what part of this looks like authorities should be involved?
Maybe its time the C level exec's that sold their stock before the breach would be published get their lives ruined. Publish their SS numbers, phone numbers, drivers license numbers and home address. Let them know what it does feel like to have information in peoples hands you have no control over.
Until its personal for them, they will never care about yours.
(.)-(.)
Seriously, I am guessing that we will find out that it was done in India, not in America.
I prefer the "u" in honour as it seems to be missing these days.
Says Steve Ballmer.
The problem there being Java.
This is like me blaming a lock manufacturer for a theft that involved a bunch of Russian guys driving a truck up to my front door, picking the lock, and carrying off all my stuff over the course of 8 hours while I sat there getting drunk.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
basically these jerks hold everyone hostage to their bullshit data and arbitrary standards
if people had any smarts they'd make these types of agencies public
Struts or not, the sole blame is with the greedy morons running Equifax with apparently the same take on security as they had in the year of their inception. Why do they even collect and store that much information and hold on to it for that long? I know, it is to generate a credit history, but I am sure there are equally good ways to determine if I pay my bills or not.
Equifax Blames Open-Source Software For Its Record-Breaking Security Breach
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND... - Apache License
A dirty secret among many businesses is that security is subordinate to speed of deployment, and even application performance. Sure, they could've extended the framework and added security layers within the tiers, but that is work, and work takes time. Also hard to justify when nobody else is doing it.
For example, why would the controller tier or the model tier allow any connection to request 143 million records? It conforms to no legitimate use case, and should be programmatically disallowed. But again, that is work.
Financial institutions KNOW this.
Correction: competent financial institutions know this. Incompetent ones clearly do not and, as recent events show, it is not always easy to tell the competent from the incompetent.
Badboyz want to know ... what reason a mench doesn't track down the EF CEO and break his face ? No harm no foul.
... not a product.
And the circle of life continues to spin, occasionally wobbling on its axis thanks to the weighty presence of dumb.
The problem with their claim is that
Open source == inspectable so you can see the consequences of your actions.
To claim that (OS==helpless user) as a defense for your (in)actions is pretty lame.
On the surface, the facts seems to be more like
Our business model requires holding information which if made public could hurt people.
It is expensive and hard to secure this data, so let's don't.
Suprise! the data got stolen.
No problem, let offer a revenue stream ^H^H^H^H^H 'service' to help.
Oops, we got caught doing that, need new plan.
Hmmm who can we blame for our in actions?
I know, the open source community.
Hopefully, the next step will be a Congressional inquiry figuring out that the world would be better off if these folks went bankrupt.
And for sure, an understanding that a bank opening an account with this silly ID information is indefensible.
Let's be honest. Open source software has just about the worst record for things like security, usability and support. There is a very good reason why so few desktops run Linux, or Apache Open Office, or GIMP or things like that. Desktops tend to be the #1 target for malware and when the rubber meets the road, Microsoft simply has a better track record in the security realm. I mean hell, Linus torvalds thinks security problems are "just another bug" like glitchy audio or compile failure. Is it any wonder that his OS is considered the worst of the worst when it comes to security?
We need more info to come to any conclusions. I've seen it claimed that Equifax wasn't using the latest version of Struts and some have thought that meant that they didn't patch to deal with the RCE from earlier this year. BUT, is it possible that what really happened is that Equifax was using Struts 1, not Struts 2? Struts 1 is EOL by the way. That wouldn't surprise me in the least.
Equifax punishes people for coincidences all the time.
Sysadmins + high speed connections = porn = keys to the system. That or Russians
They don't have the capability but they could have purchased it.
Did you know their CIO has a 2 million dollar SALARY?
I suppose he deserves it and there probably wasn't enough money at equaifax for them to protect your data. That's why they had to hire a CSO with 10 years of work experience and a masters in marching band. Budget cuts budget cuts!
Just not enough money to go around sadly.
The root issue here is not what cause the breach. That's a red herring. Its spin, to distract us from the fact that hackers (or state actors) have had our information for 2 full months that Equifax knew about and yet they disclosed NOTHING.
So I am much more interested in who to blame for not telling us we need to take immediate steps to secure our identities and credit. Pretty sure its all the C-level and board, but I wanna hear what they say before Congress and at least 5 state agencies now literally crawl up their asses with a telescope to find out.
I blame Java, not Struts......because its Java and its a pile of garbage.
Offtopic
Again the moderator is an idiot (no surprise there). Throwing blame around is the ubiquitous diversion from one's own crimes. And this was a crime, not an accident.
Equifax obviously has never heard of data diodes, which let data in, but not back out. Such a system could have let them accumulate data without risk of exposing all of it. They probably never heard of capability based security either, nor the principle of least privilege. They probably also use Operating Systems that rely on ambient authority to get everything done, such operating systems are wildly popular, but can't be made secure.
There's a lot of bad design decisions behind this... not just the use of Apache Struts.
Data was leaked, management enjoyed a great round of insider trading, they botched up the page for verifying if your information was leaked, and now the most obvious next step: scapegoating.
What can we expect next? Shut up settlements after a long protracted court battle meant to make people forget about it, slap on the wrist from government/justice, just for the next rounds of leak to prove that they have learned nothing.
Equifax hack is the end of privacy even for those who are careful about it. You can be as paranoid as you want to, once your personal sensitive data is being taken and stored by companies that are this careless about it, it's over.
Oooh, but an open source software had an exploit in it. That's what they have to say? Motherfuckers, ALL software potentially has exploits in them. It's why for sensitive data competent companies employ several layers of security so that even if parts of it fail, attackers still won't have access to it. You are not a fucking backyard business or some kid's lemonade stand. If you are going to claim this level of ignorance for leaking all that data out, the rational decision would be closing doors down, getting out of the fucking market, and leave it to grown ups to handle since you are clearly too incompetent to do so.
So they get a Commodore-64 and some big floppy drives and put our SSNs on that, because *reasons*.
Then when it's breached they point to the C64 and say, "well, look what we had to work with."
Doesn't work that way, but we're not their customers. So fuck us.
Regardless of the system you use, setting up a system like this directly on the Internet is what's to blame. Obviously it's a little more expensive to develop a proper web application and checks and balances on what it can do but no part that is not the "View" should be online.
Custom electronics and digital signage for your business: www.evcircuits.com
Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com."
We should wait for the "equifaxsecurity2018.com" release.
It must have been something you assimilated. . . .
The fine goes into a trust which then has a mandate to enhance security. Then if there are more breaches, the trust grows, and who wouldn't want a job that pays $1 million a year...the fine would also include a clause that directly affects the ceo and cto in that part of their compensation would be reduced and put into the trust. Security has many parts, and the more $ you throw at the problem the higher the probability of getting better security.
And bugs are always easier to find when you have the source code so security of open source software is dependent on having better/more whitehat than blackhat hackers.
I wonder what they used for their horribly broken website https://www.equifaxsecurity201..., which can't even seem to reliably tell you if you were affected by the incident. But I'm not surprised that a company with such shitty security to allow practically all adult Americans' identities to be exposed can't even get their check to find out if you have been exposed right. But, based on the numbers, and subtract everyone who does not have a credit history (age 17 and under), it's safe to assume that *every* U.S. citizen with a credit history has to watch their asses from here on, for the rest of their life. Is Equifax going to blame open source software for that piece of shit site/impact checker too? Equifax... what a fucking joke.
For a thousand bucks or so, Equifax could have had our company inspecting their tools daily, scanning for any accessible systems with security issues, including the issues in the Struts plugins.
We would have also provided them with detection systems that would have caught the attempt to load the massive amount of data via the vulnerability, and systems to detect the attempt to exfiltrate the data, again at a very reasonable cost. These include 24/7 monitoring by our SOC. So if they had been even competent enough to simply sign up with a decent security provider, they would have been protected three times over.
ALL software beyond "hello world" has bugs.* A competent CIO, or even a competent programmer or network engineer, knows that and plans accordingly. Any CIO or CSO whose security planning pretends that there server software is perfect is incompetent. A software bug didn't cause this - plenty of other organizations used the same software, but didn't get breached because they had scanning and alerting set up, so they mitigated the flaw immediately after it became known.
*. All software has flaws, and well known proprietary software such as Windows, MS Office, Flash, and Oracle Java are an order of magnitude worse than well known open source software such as Linux, Libre office, Apache httpd, etc. My database I manage at work has almost every known vulnerability cataloged and rated for several measurements of severity. There's no comparison - there simply is not pride of workmanship in code nobody is allowed to see. Open source programmers know they are being judged personally for the code they put on display and it makes a HUGE difference in code quality.
They just wanted to get in the guinness book of records...
In other news, Granny said "don't put all your eggs in one basket".
Why was their data not compartmentalised? Its not that hard to do, and ought to be compulsory for data on this scale.
Public floggings are totally inadequate for scum like this. These people are a clear and present danger to civilisation as we know it, even in the absence of data loss like this. Now is the time to make this obvious to everyone.
Sent from my ASR33 using ASCII
Really? How? What punishments does Equifax dole out?
Clearly their US business differs from the one in the UK.
The exploit is not the root cause, the exploit only became possible in a live environment because they failed to properly follow governance processes during development.
They make a huge profit. Turn some of that into a job that secures the information and suddenly your "Limited Resources" excuse doesn't fly. You have to show that they could not afford such a job, which is not possible, they'd just increase the price of their business charges if they could not afford a sufficient number of posts for it.
Their problems aren't just in the security of the code, their auditing is ineffective, as shown by the fact they can't tell how it happened yet.
how much time and money did equifax contribute to struts, if it is a mission critical framework for their corporate business?
You could argue that by giving somebody a [false] bad credit rating (by carelessly using a different John Smith's records, or simply because they haven't borrowed enough money in the past) they are punishing that person. It's something that happens regularly and costs those people money, yet credit agencies are rarely taken to task over their conduct.
Lots of excellent discussion here, but perhaps there is another aspect of this to consider...
Think about all the really big issues that have happened with financial institutions over the last 10-15 years, such as:-
1. Nick Leeson at Barings [lost his employer an estimated $1.4 Billion in 1995]
2. Jerome Kervial at Societe Generale [lost his employer $7 Billion in 2007]
3. Bruno Iksil at JPMorgan [lost his employer an estimate $7 Billion in 2012]
In fact, if you're interested, there is a complete ranking at Wikipedia:-
https://en.wikipedia.org/wiki/...
What this shows us is that all of the biggest losses [and at this point I will concede that the Wikipedia article lists only trading losses, but these are by far the largest, financially-impacting losses we observe] come not from data security issues, or software vulnerabilities, but from an absolute lack of fundamental operational controls on the financial side of the institutions that have experienced these losses.
Yes, it is true to say that "because: Cyber" seems to have created a bit more interest in boardrooms around the world, but the cold, hard fact remains that the vast majority of losses [whether numerically or by value] originate from operational control failures, not IT Security. This being the case, when an institution comes to look at safeguards, IT and Cyber Security controls are almost always going to play "second fiddle" to the operational risks the institution carries.
Having worked for both blue chip companies and financial institutions for the last ~ 30 years, my own personal experience is that IT Controls are generally seen as a poor relation to Operational Controls - and attract budgets and resources accordingly. As an IT professional with many years working in IT Security, IT Risk Management and Cyber Security, I would like to see cyber risk treated more seriously by large corporations. Unfortunately, in the absence of actual, head-line grabbing real-world examples of multi-billion-dollar losses from cyber events, the institutions carrying these risks will consider them to be "black swan" events - undeniably high risk, but so rare as to be irrelevant... until they are themselves hit.
The only way to ensure that the information of private citizens is adequately protected by the corporations that hold and process it is to follow up incidents such as this with hard-hitting fines, along with jail time for relevant executives [CEO, CIO, CTO]. Unless we see that happen [and just consider for a moment the likely lobbying effort against this] then there will be no safety and no recourse for individually impacted citizens.
Some may be thinking that perhaps legislation like the Sarbanes-Oxley Act [and clause 404 of that bill] might be sufficient to address the gap. The sad fact is that, in the 15 years since it was introduced, SOX has become a "paper exercise". There is no evidence to suggest that anything equivalent but addressing data breaches would be any more useful 15 years from now.
Unless something fundamentally changes, the balance of probability will condemn this particular topic to irrelevance.
Can you start caring for and treating APK as well or at least track down the appropriate county office to handle him?
Defense in depth is an applicable concept here. A single point is going to have weaknesses. While a Struts vulnerability may have been involved, there is a whole iceberg of failures below that on the Equifax side for the breach to reach this scale. It is hard to say what level of failure though without any details. "May have been impacted" is not the same as 100 million people victimized by identity theft.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Red the Equifax annual report on their website - it's all about revenue growth (18%), new markets and reducing expenses... Looking at the people, the CIO has a Bachelors degree in Russian and Masters degree in Business Administration. The other "techie", President of Information Solutions, is a Harvard lawyer.
http://www.equifax.com/about-e...
Now it has come out that top management unloaded stock post breach, but before public announcement.
We have a corporation dealing with personal information with zero security core competency at the top, and devoid of moral principal AND willingness to commit crimes for personal gain.
THIS is the exact type of corporation and players that needs to be crushed and go away, like Arthur Anderson, or Daryl McBride.
If you adopt open-source software as an underlying framework for your system which stores highly sensitive information, then you take all the time you need to audit the code to ensure that your highly-sensitive information is secure before you go live.
It's *the firm's* responsibility to ensure their infrastructure is secure, not anyone else, and if they decide to use infrastructure X on a production server, the outcomes are on *their* ass.
They claimed that "certain files" were hacked.
I think that means they kept everything in a website spreadsheet.
They chose to use it! So naturally, it's someone else's fault. I am so sick of this shit! They are all parasites. And the US government never did anything about it because they too, want all of your data so they can bypass the intention of the US constitution. I'll add that this breach should discredit everything the credit bureau's have collected. It proves they have no control over their data and that most of it can be manipulated and controlled on behalf of big corporations. Congress, what the hell are you doing? If anything.
Exactly. We can never know the truth so thinking about it is a waste of time. Better to just watch the new south park and buy the new iphone.
> Companies don't want to pony up the costs and resources to fix this crap. Good intentions are failing to keep companies secure
Fire safety was a similar issue a hundred years ago. The insurance companies created Underwriters Laboratories (UL Listed) and the National Fire Protection Association, which writes the fire code. Companies buy insurance against fire, and their insurance company, in order to reduce their own cost of claims, insists that the companies meet fire codes and otherwise operate safely to minimize the risk of fire. That has worked well.
The costs are a very real and legitimate issue. A magazine publisher should NOT spend $50 million to protect from the names of their subscribers being leaked. The cost would be too high relative to the risk. Spending too much on security is a mistake just as spending too little is. Spending on security increases costs, it makes products and services cost more for the consumer. It's all about calculating the *right* amount of spending to mitigate the risk by the right amount.
As it happens, insurance companies are experts at calculating risks and costs. I expect over time they'll get involved in cyber security in a similar way as they are involved in greatly reducing fire risk.
enter smith and 123456 as the ssn and it tells you it may have been compromised..
It is clearly not cross checking name vs ssn.
Probably just harvesting both.
No, I can't believe a company as scummy as Equifax.
> the cost was new hardware due to a program that was written ... Essentially it was a Ruby Gem that was outdated and the whole program would need to be recoded to fix the vulnerability.
And this was why we write software as modules, even microservices, rather than a huge monolithic pile of code. With proper abstraction and encapsulation, a bad problem means that specific 12-line function, or at worst the entire 350-line module, needs to be redone.
As far as I am concerned they should be held liable for false records shown when a creditor pulls your records. Thats slander/libel.
> You're comparing products they sell and underwrite vs their own personal best practices
No, I'm comparing internal operating standards with internal operating standards. At my office, we had a fire inspector come through once every two years and look for extension cords being used improperly and that sort of thing. Passing the fire safety inspection lowered the insurance costs that the company paid. Management took care that we did well on the inspection, so that they would get the lower insurance rate.
We ALSO had a cyber security inspection / audit. The results of that inspection did not, however, affect our insurance costs. Therefore the security inspection was less important.
You are of course correct that fire insurance existed long before UL and NFPA, though not so long in the US. The point is that when they did take proactive measures such as UL and NFPA, it worked well - and they know that. They know that if they are going to insure a major office building, they are going to insist on fire safety. Knowing that, having that experience, they can use the results of cyber security inspections in setting rates.
Whether the inspection is outsourced or done by W-2 employees of the insurance company isn't the point. The point is they are starting to expect a passing security audit. Companies are beginning to pay attention to security in order to reduce costs, and hopefully we'll see that trend expand.
I wonder how much Equifax gave Apache but freely uses their software. Gonna cost them now! haha!
Piece of shit website doesn't work for me. Probably stole my SSN too.
Yeah, sure, like open source code comes with any guarantees ... :)
'cmon Equifax: you were caught with the pants pulled down and now is the fault of buttons on your trousers
[OK, I'm late to this, but haven't seen this point made]
Even if it was a vulnerability in the front-end (in a DMZ, I hope), a totally compromised front-end shouldn't have allowed anybody to exfiltrate that much data. The backend should be locked down with methods that allow the front-end to access only one per call, and access patterns monitored to disallow harvesting. The actual data should be at least another step away, and encrypted in case anybody steals a the whole as a blob. There's bad architecture here, regardless of any owning of a public-facing website. This might have been a long-drawn out slow exfiltration, but it doesn't sound like it. The whole infrastructure may have been owned, but again, that can't be blamed solely (or even mostly) on any vulnerability in the top layer.