After a 14-month government investigation into the Equifax breach Congress report concludes the breach was preventable.
In December, the US House Committee on Oversight and Government Reform completed its 14-month investigation into the Equifax breach. In their final report released earlier this month, they held Equifax accountable for the massive breach that impacted close to 150 million people (close to half of US households). Equifax’s accountability was due to multiple security failures in their own security program, with highlights noting the breach could have been prevented if they had taken better – even just standard — precautions. The committee concluded the breach incident occurred because Equifax “failed to implement an adequate security program to protect this sensitive data.”
The committee wrote in the report:
“Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach.
1) First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation. This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.
2) Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment,” the report continued. “Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging.”
The Equifax breach report broke down the timeline in great detail, starting with the initial disclosure on March 7, 2017 of the Apache Struts vulnerability used in the attack. Equifax received the alert from the Department of Homeland Security about the vulnerability, (US CERT), on March 8 and notified responsible personnel to patch systems on March 9. The company performed a scan for any systems with the vulnerability on March 15 and didn’t detect any, despite the fact that the attackers made their first successful breach of Equifax’s vulnerable systems on March 10.
Key Findings from the Congressional Report:
1. Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.
2. Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
3. Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
4. Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
5. Unprepared to support affected consumers. After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.
Unpatched Vulnerabilities, Expired Certificates
Many who have followed the Equifax story since the breach have criticized them harshly for not implementing the patch for the Apache Struts vulnerability that was available and which they were aware of before the breach. This is certainly a failure, but one that many companies are also guilty of for a variety of reasons (see our blog “Patching the Iron Tail Is Easier Said than Done”). Many companies who haven’t applied the patch are fortunate enough to have not been breached so far, a stroke of luck that can change any time. But the committee found other even more concerning failures, the most concerning being allowing over 300 security certificates to expire. These failures not only allowed the breach, but also prevented Equifax from even discovering the breach for many months.
Satya Gupta, CTO and co-founder at Virsec Systems in San Jose, California, talks about companies and patching, saying it’s easy to “throw Equifax under the bus, and they certainly could have prevented much of the damage from the breach. But it’s dangerous to get on a soap box about patching when most organizations take months to deploy patches across the board. Security by patching is a losing strategy. Organizations need to find ways to protect critical applications, regardless of their patch status. Clearly, Equifax did not run a tight security ship, and vast amounts of data were spread across many out-of-date platforms.”
Gupta continued, “More than a technology problem, this was a massive organizational mess, leading to a disastrous public response. Slow patching was just one of many structural problems that made Equifax a fat target. There are no valid excuses for expired security certificates. For any system that is being actively managed, expired certificates are immediately apparent. If Equifax let hundreds of certs expire, there were clearly huge areas of security and IT oversight that were completely lacking. Well-run IT organizations have tight controls over all business-critical servers and closely monitor where sensitive data is going and being stored. Security certificates must always be up-to-date, and out-of-date systems should be retired whenever possible. While patching can be a legitimate challenge, having clear network visibility should be a prerequisite, not an afterthought.”
Problems Continued in the Breach Aftermath
After the breach was discovered, Equifax put plans in place to deal with the aftermath, which the report outlined as well.
1. Project Sierra to handle the incident response
2. Project Sparta for notifying the public of the breach
After the public was notified, Equifax took a lot of heat for problems that arose from their response to customers.
The committee wrote: “The purpose of Project Sparta was to create a consumer-facing website for individuals to find out whether they were affected by the breach and, if so, to register for credit monitoring and identity theft services. Almost immediately, problems existed with Equifax’s public response. The website and call centers were overwhelmed with requests for information and left consumers without answers as to whether they were affected by the breach.”
Gupta noted ways in which Project Sierra was also troubled.
“Equifax did plenty wrong before the breach to make themselves vulnerable, but well-run IT organizations assume they will be attacked and have clearly defined response plans. Everything about Project Sierra was a disaster, including alleged leaks about its status leading to insider trading charges,” Gupta said. “There is no excuse for the months it took from discovering the breach to the public acknowledgment. While most states have breach notification laws, there needs to be tighter standards on the length of time a company can research a breach before coming clean.”
The US House Committee on Oversight and Government Reform report closed with 7 recommendations for avoiding such devastating breaches in the future. A brief summary of the key focus of each is listed below.
1. Recommendation Empower Consumers through Transparency
Consumers should be able to track what consumer reporting agencies (CRAs) keep on them and how often that information is shared. Credit report locks and freezes should be given to consumers at no charge without consumers needing to sign up for the service or commit to any action to receive it.
2. Recommendation Review Sufficiency of FTC Oversight and Enforcement Authorities
The FTC may need more authority and enforcement tools to monitor CRA data security, before and after a breach occurs, along with incentives to keep the data safe.
3. Recommendation Review Effectiveness of Identity Monitoring and Protection Services Offered to Breach Victims
The Government Accountability Office (GAO), among other things, should oversee how long credit monitoring and other protection services are needed after a breach to mitigate identity theft risks.
4. Recommendation Increase Transparency of Cyber Risk in Private Sector
Federal agencies and the private sector should work together to increase transparency of a company’s cybersecurity risks and steps taken to mitigate such risks.
5. Recommendation Hold Federal Contractors Accountable for Cybersecurity with Clear Requirements
The Office of Management and Budget (OMB) should continue efforts to develop a clear set of requirements for federal contractors to address increasing cybersecurity risks, particularly as it relates to handling of PII. There should be a government-wide framework of cybersecurity and data security risk-based requirements.
6. Recommendation Reduce Use of Social Security Numbers as Personal Identifiers
Given nearly half the country’s population’s social security numbers have already gotten into the wild with the Equifax breach, there’s no point in releasing more. Social security numbers have been overused as personal identifiers for years and that use should be reduced.
7. Recommendation Implement Modernized IT Solutions
It’s time to companies to transition away from legacy IT and implement modern IT security solutions. Equifax failed to modernize its IT environments in a timely manner.
Hopefully these recommendations will become reality. Congress has already previously ordained that credit freezes were to be free – see our article Credit Freezes Will Soon Be Free to Consumers – Thanks to Equifax Breach. But fifteen months later, the country still talks about this massive breach and likely it will remain near the top of the list of most significant breaches of all time.