“The US House of Representatives Committee on Oversight and Government Reform has just released a comprehensive report on the 2017 Equifax hack. It’s a great piece of writing, with a detailed timeline, root cause analysis, and lessons learned.”
Also watch video: Equifax data breach was “entirely preventable,” congressional report says
A scathing new report finds one of the largest data breaches in U.S. history was “entirely preventable.” A 14-month congressional investigation slammed credit rating agency Equifax for lacking preventative measures in a data breach that exposed the personal information of 148 million Americans last year. Anna Werner reports. CBS This Morning , Published on Dec 11, 2018
Oversight and Government Reform
December 2018
The Equifax Data Breach, Majority Staff Report 115th Congress December 2018
Executive Summary
On September 7, 2017, Equifax announced a cybersecurity incident affecting 143 million consumers. This number eventually grew to 148 million—nearly half the U.S. population and 56 percent of American adults. This staff report explains the circumstances of the cyberattack against Equifax, one of the largest consumer reporting agencies (CRA) in the world.
Equifax is one of several large CRAs in the United States. CRAs gather consumer data, analyze it to create credit scores and detailed reports, and then sell the reports to third parties.
Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt out of this information collection process. Though CRAs provide a service in facilitating information sharing for financial transactions, they do so by amassing large amounts of sensitive personal data—a high-value target for cyber criminals.1 Consequently, CRAs have a heightened responsibility to protect consumer data by providing best-in-class data security.
In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks. In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing “almost 1,200 times” the amount of
data held in the Library of Congress every day.
Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.
On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Security alerted Equifax to this critical vulnerability. Equifax’s Global Threat and Vulnerability Management (GTVM) team emailed this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a March 16 meeting about this vulnerability.
Equifax, however, did not fully patch its systems. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not patch the Apache Struts software located within ACIS, leaving its systems and data exposed.
On May 13, 2017, attackers began a cyberattack on Equifax. The attack lasted for 76 days. The attackers dropped “web shells” (a web-based backdoor) to obtain remote control over Equifax’s network. They found a file containing unencrypted credentials (usernames and passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The attackers were able to use these credentials to access 48 unrelated databases.
Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times. The attackers transferred this data out of the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic.
After updating the security certificate, Equifax employees identified suspicious traffic from an IP address originating in China. The suspicious traffic exiting the ACIS application potentially contained image files related to consumer credit investigations. Equifax discovered it was under active attack and immediately launched an incident response effort.
On July 30, Equifax identified several ACIS code vulnerabilities. Equifax noticed additional suspicious traffic from a second IP address owned by a German ISP, but leased to a Chinese provider. These red flags caused Equifax to shut down the ACIS web portal for emergency maintenance. The cyberattack concluded when ACIS was taken offline.
On July 31, Chief Information Officer (CIO) David Webb informed Richard Smith of the cyber incident. Equifax suspected the attackers exploited the Apache Struts vulnerability during the data breach. On August 2, Equifax engaged the cybersecurity firm Mandiant to conduct an extensive forensic investigation. Equifax also contacted outside counsel and the Federal Bureau of Investigation to alert them to the cyber incident.
By late August 2017, Mandiant confirmed attackers accessed a significant volume of consumer PII. Equifax launched an effort to prepare for public notice of the breach. As part of this effort, Equifax created a website for individuals to find out whether they were affected by the data breach and, if so, to register for credit monitoring and identity theft services. Equifax also began efforts to stand up a call center capability staffed by 1,500 temporary employees. On September 4, Equifax and Mandiant completed a list of 143 million consumers affected by the data breach, a number that would later grow to 148 million.
When Equifax informed the public of the breach on September 7, the company was unprepared to support the large number of affected consumers. The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services.
Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation. This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.
Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on custombuilt legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging. Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach.
Equifax held several officials accountable for the data breach. The CIO and Chief Security Officer (CSO) both took early retirements on September 15, eight days after the public announcement. Equifax’s CEO Richard Smith left the company on September 26. On October 2 Equifax terminated Graeme Payne, Senior Vice President and Chief Information Officer for Global Corporate Platforms, for failing to forward an email regarding the Apache Struts vulnerability. Payne, a highly-rated employee for seven years and a senior manager of nearly 400 people, managed a number of IT systems within Equifax, including ACIS. On October 3, Richard Smith testified before Congress blaming human error and a failure to communicate the need to apply a patch as underlying reasons for the breach. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.