4 min read
In August 2017, three weeks before Equifax publicly announced the breach, Richard Smith, the former CEO of Equifax, boasted that the company was managing “almost 1,200 times” the amount of data held in the Library of Congress every day. However, Equifax failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history.
The loopholes that led to a massive data breach
Equifax had serious gaps between IT policy development and execution
According to the Committee, Equifax failed to implement clear lines of authority within their internal IT management structure. This led to an execution gap between IT policy development and operation. Thus, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Security alerted Equifax to this critical vulnerability. Equifax’s Global Threat and Vulnerability Management (GTVM) team emailed this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on their system to apply the necessary patch within 48 hours.
The Equifax GTVM team also held a meeting on March 16 about this vulnerability. Equifax, however, did not fully patch its systems. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not patch the Apache Struts software located within ACIS, leaving its systems and data exposed.
Equifax had complex and outdated IT systems
Equifax’s aggressive growth strategy led to the acquisition of multiple companies, information technology (IT) systems, and data. The acquisition strategy may have been successful for the company’s bottom line and stock price, but this growth also brought increasing complexity to Equifax’s IT systems and expanded data security risk. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
The company failed to implement responsible security measurements
Per the committee, Equifax knew of the potential security risks posed by expired SSL certificates. An internal vulnerability assessment tracker entry dated January 20, 2017, stated “SSLV devices are missing certificates, limiting visibility to web-based attacks on [intrusion prevention system]”. Despite this, the company had allowed over 300 security certificates to expire, including 79 certificates for monitoring business-critical domains.
Had Equifax implemented a certificate management process with defined roles and responsibilities, the SSL certificate on the device monitoring the ACIS platform would have been active when the intrusion began on May 13, 2017. The company would have been able to see the suspicious traffic to and from the ACIS platform much earlier – potentially mitigating or preventing the data breach.
On August 30, 2018, GAO (U.S. Government Accountability Office) published a report detailing Equifax’s information security remediation activities to date. According to GAO, “ a misconfigured monitoring device allowed encrypted web traffic to go uninspected through the Equifax network. To prevent this from happening again, GAO reported Equifax developed new policies and implemented new tools to ensure network traffic is monitored continuously.”
In its 2018 Annual Proxy Statement to investors, Equifax reported on how its Board of Directors was enhancing Board oversight in an effort to strengthen Equifax’s cybersecurity posture. Equifax’s new CEO, Mark Begor told news outlets, “We didn’t have the right defenses in place, but we are investing in the business to protect this from ever happening again.”
To know more about this news in detail, read the complete Equifax Data Breach report.