Just when Equifax thought its 2017 breach was finally out of the news, the U.S. Senate completed their investigation into the event, revealing that the consumer reporting agency failed on a number of cybersecurity fronts.
In December, the House Committee on Oversight released a report that found the Equifax breach was “entirely preventable.” And earlier this month, the United States Senate published a comprehensive report detailing the Senate Homeland Security Investigations Subcommittee’s investigation into the massive Equifax breach that affected 145 million people.
In part one of this two-part series, we will detail the recent report’s results and in the upcoming part two, we’ll discuss the Senate’s recommendations in light of the breach, but let’s just say that the Senate’s most recent findings do not reflect well on Equifax.
Equifax Failed to Prioritize Cybersecurity
The Senate report revealed Equifax opted for “efficient business operations rather than security protocols,” ultimately allowing access to personally identifiable information (PII) details, including names, dates of birth, phone numbers and social security numbers, of millions of American consumers. The report noted that Equifax didn’t develop a corporate policy surrounding patch management until 2015, and after implementing this policy, an audit of its patch management efforts identified 8,500 known vulnerabilities that had not been patched. Compounding the issue, that number included more than 1,000 vulnerabilities deemed critical, high or medium risks that the auditors found on systems that could be accessed by individuals from outside of Equifax’s IT networks.
Perhaps worst of all, the company never conducted another audit after the 2015 audit and allowed several of the issues identified in the 2015 audit report to go unaddressed in the days, weeks and months leading up to the 2017 breach. Clearly, Equifax knew about their cybersecurity weaknesses for years before the breach occurred.
Equifax Could Not Follow Its Own Policies in Patching the Vulnerability That Ultimately Caused the Breach
Even more damning, the company’s patching policy required its IT department to patch critical vulnerabilities within 48 hours, but Equifax’s security staff ignored a critical vulnerability in certain versions of Apache Struts that it learned about on March 8, 2017. Even though the National Institute of Standards and Technology (NIST) gave the vulnerability the highest criticality score possible and it was widely known that the vulnerability was easy to exploit, the report found that the “CIO overseeing the IT department in 2017 referred to patching as a ‘lower level responsibility that was six levels down’ from him.”
The Senate report also found Equifax did not abide by the schedule mandated by its own patching policy for addressing vulnerabilities and that Equifax had a reactive approach to installing patches, using what auditors referred to as an “honor system” that failed to ensure that patches were installed. Simply put, the “honor system” is no way to handle patch management.
Equifax Failed to Locate and Patch Apache Struts
Unfortunately, as the report notes, the Equifax developer "who was aware of Equifax’s use of Apache Struts software” was not included in the company’s email chain discussing the vulnerability — but their manager was. The manager, however, “failed to forward it to the developer or anyone on the developer’s team.” Consequently, the alert wasn’t received by the key developer, and because “Equifax developers were individually responsible for subscribing to push notifications from software vendors about security vulnerabilities,” the vulnerability remained unpatched.
The Senate report found that even after the vulnerability was disclosed and Equifax “added new rules to the company’s intrusion prevention system,” none of the company’s subsequent scans identified the vulnerable version of Apache Struts running on the network. Visibility was a huge issue here as Equifax “lacked a comprehensive inventory of its IT assets” and was unaware that the vulnerable version of Apache Struts remained on its system.
Equifax Left Itself Open to Attack Due to Poor Cybersecurity Practices
As has been clearly illustrated to this point, Equifax “was unable to detect attackers entering its networks because it failed to take the steps necessary to see incoming malicious traffic online.” The report revealed that Equifax installed dozens of new secure sockets layer (SSL) certificates in July 2017, including a new certificate for the expired SSL certificate for its online dispute portal. After updating the certificate, employees observed suspicious traffic from its online dispute portal that they were able to trace to China, a country where Equifax does not operate.
It was later determined that Equifax’s system was first accessed through the online dispute portal on May 13, 2017, which means the hackers had more than 75 days to maneuver without detection. The Subcommittee confirmed with Equifax that the Apache Struts vulnerability facilitated the data breach and Equifax’s poor cybersecurity practices only exacerbated the issue.
The Damage Done by the Hackers Could Have Been Minimized
Because the hackers had access to Equifax’s systems for more than two months, the report found that they also accessed other databases in their search for other systems containing PII, eventually discovering a data repository containing unencrypted usernames and passwords that allowed the hackers to access additional databases.
The report noted that, "The usernames and passwords the hackers found were saved on a file share by Equifax employees,” and that the company opted to structure its networks in a fashion that supported business operations instead of security best practices. Clearly, this move made the hackers’ job easier, and damage could have been minimized had Equifax simply had basic tools in place to detect and identify changes to files.
Equifax Waited Six Weeks Before Notifying the Public It Was Breached
Because customers want to trust what companies do with their data, especially their PII, waiting to notify the public of a breach is a risky proposal. But that is precisely what Equifax elected to do. After discovering suspicious activity later determined to be a data breach on July 29, 2017, Equifax didn’t publicly announce the data breach until September 7, six weeks after learning of it and nearly four months after the hackers first gained access to Equifax’s networks.
As a result, months went by that customers were unaware that criminals had obtained their most sensitive personal and financial information and that they should take steps to protect themselves from fraud. While the report discussed the notion that there is no uniform standard for companies reporting data breaches, it did highlight the “patchwork of uncertainty for companies and consumers responding to data breaches.”
Equifax Executives Believe They Did All They Could to Prevent the Breach
The report revealed that the Senate Subcommittee interviewed current and former Equifax employees from the security and IT departments, and while their responses varied, “most said they believe that the security team’s actions were an appropriate response to the Apache Struts vulnerability.”
Quotes from various former Equifax employees and executives revealed that some believed the response to the vulnerability was “not only defensible, but justifiable,” and others couldn’t understand why the vulnerability “was not caught” nor were they sure Equifax could have done anything differently. Others revealed, “security wasn’t first” at Equifax, but that the data breach “made everyone focus on it more.”
TransUnion and Experian Avoided a Breach
Importantly, the report revealed that Equifax’s two main competitors in the consumer reporting space — TransUnion and Experian — avoided being breached despite containing similarly sensitive information in their systems. According to the report, “TransUnion and Experian received the same information as the public and Equifax regarding the Apache Struts vulnerability, but the approach that each company took to cybersecurity was different from Equifax’s.” While TransUnion “began patching vulnerable versions of the software within days” and Experian “retained a software security firm in March 2017 to conduct targeted vulnerability scans of Apache Struts vulnerabilities,” Equifax obviously failed to address known risks.
Equifax Failed to Preserve Key Internal Chat Records
Adding to Equifax’s long list of failures, the company “was unable to produce potentially responsive documents related to the data breach because the company failed to take steps to preserve records created on an internal chat platform.” Even though company policy requires the preservation of certain documents for various periods of time, the report showed that “Equifax employees conducted substantive discussions of the discovery and mitigation of the data breach using Microsoft Lync, an instant messaging product.”
As such, the records of these communications were deemed “disposable” under the company policy, and concerningly, “the Subcommittee does not have a complete record of documents concerning the breach.”
While the Senate report’s findings did not reflect well on Equifax, the report also offered a number of recommendations for preventing and avoiding similar data breaches in the future. We will delve into that advice in the second part of this series.
While too late for Equifax, Automox’s automated patch management solution makes cybersecurity much easier as it ensures systems, including laptops, desktops, virtual machines, docker containers and servers, remain patched and up to date in real time.
Automox is a cloud-based patch management and endpoint protection platform that provides the foundation for a strong security framework by automating the fundamentals of security hygiene to reduce a company’s attack surface by over 80 percent. A powerful set of user-defined controls enables IT managers to filter and report on the vulnerability status of their infrastructure and intuitively manage cross-platform OS patching, third party patching, software deployment, and configuration management. To sign up for a free, 15-day trial of Automox’s cloud-based, automated patch management solution, visit www.automox.com/signup.