House panel verdict: Equifax data breach was "entirely preventable"

A 14-month long Equifax data breach investigation came to an end; report published

A report published on Monday by House panel concluded: Equifax data breach could have been prevented with basic security measures

On Monday, a House of Representatives Committee on Oversight and Government Reform published a 96-page report^[1] which concluded the infamous Equifax data breach. According to the publication, the company could have prevented the incident, would it have used basic security measures like patching their systems on time.

It has been more than a year since the biggest consumer reporting agency announced that hackers breached their systems, and the data of 143 million (which later grew to 148 million)^[2] consumers from United States, United Kingdom, and Canada was stolen.

The culprit of the incident was Apache Struts vulnerability (CVE-2017-5638)^[3] that was discovered back in March 2017. Unfortunately, Equifax failed to apply the patch to their networks, resulting in attackers stealing the personally identifiable information on millions of customers. The credit giant was simply not prepared for the incident of such a large scale.

As a result, several employees left their positions at Equifax. Although the company took several measures to improve the IT infrastructure, the change came too late. The report states:

Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.

Equifax used a custom-built consumer dispute portal that was over five decades old

The attack on Equifax began on May 13, 2017, when cybercriminals dropped web shells on company's networks, and it allowed them to gain remote control over it. Attackers managed to locate a file with unencrypted credentials, which allowed them to access sensitive information outside of the Automated Consumer Interview System (ACIS) environment. This resulted in a further 48 unrelated database compromise.

Criminals managed to send 9,000 queries and harvest the valuable data, all while Equifax was not aware of the activity. The reason why the company failed to identify the issue was that of the SSL certificate that expiration for the device that monitors ACIS traffic.

Only on July 29, 2017, Equifax updated the expired certificate and found out about the discrepancies. The next day, the industry giant launched the investigation that revealed several ACIS vulnerabilities. Also, forensic investigators from security firm Mandiant were hired. Experts concluded that a massive amount of PPI was accessed.

To recuperate, Equifax hired 1,500 extra staff to be able to cope with customers' calls. Additionally, the firm launched “are you at risk?” website where users could check if they were affected by the breach. Unfortunately, the call centers were quickly overwhelmed, and the website was often crashing, resulting in false results.^[4] The site was later pulled down due to more security flaws discovered by experts.

Shame on you, Equifax!

A House Oversight Committee did not spare the credit agency and criticized its cybersecurity practices. The report mentioned two major loopholes:^[1]

Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation. <…>

Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on custombuilt legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging. <…>

In response, Equifax representative Wyatt Jefferies claimed^[5] that the company is “deeply disappointed” that the Committee did not provide enough time to review the 100-pages report before publishing it. Additionally, the spokesperson told that they found several “significant inaccuracies” and disagree with the publication. Despite that, Jefferies also added:

While we believe that factual errors serve to undermine the content of the report, we are generally supportive of many of the recommendations the Committee laid out for the government and private industry to better protect consumers, and have already made significant strides in many of these areas