Congressional Report Rips Equifax for Weak SecuritySenate Panel Says Company Lacked Strong Security Culture Before Massive Data Breach
The lack of a strong security culture at Equifax - especially compared to its two main competitors - was a key factor contributing to its 2017 data breach that exposed the personal records of 145 million Americans, according to a 71-page Congressional report.
See Also: The Global State of Online Digital Trust
The newly released report from the The U.S. Senate Permanent Subcommittee on Investigations concluded, much like an earlier the Government Accountability Office report, that Equifax failed to follow its own cybersecurity policies, including those spelling out how and when to patch critical software vulnerabilities. Company executives did not prioritize security, and many key decisions were left to lower-level IT employees, the new report concludes.
"Based on this investigation, the subcommittee concludes that Equifax's response to the March 2017 cybersecurity vulnerability that facilitated the breach was inadequate and hampered by Equifax's neglect of cybersecurity," the report states. "Equifax's shortcomings are longstanding and reflect a broader culture of complacency toward cybersecurity preparedness."
The report also notes that due to missing documents and internal chat logs, a full understanding of what happened could not be achieved.
"Equifax failed to prioritize cybersecurity."
—Senate subcommittee report
Committee members and investigators reviewed more than 45,000 pages of documents, including records from Equifax and its two main competitors - Experian and TransUnion - and conducted numerous interviews with company executives as well as outside experts, the report notes.
An Equifax spokesperson notes in a statement provided to Information Security Media Group that the company cooperated with the Senate probe and was attempting to be more transparent.
"While we do not agree with a number of findings and characterizations in the report, we remain committed to being transparent and cooperative, while sharing important learnings from the 2017 incident with the cybersecurity community," the spokesperson says.
Equifax has hired a new CIO and CISO and plans to spend $1.25 billion on security between 2018 and 2020, the spokesperson added.
Understanding the Breach
The report is one of several investigations of the Equifax data breach, which exposed the personally identifiable information of 145.5 million U.S. consumers as well as 15.2 million records related to U.K. residents and data on 8,000 Canadians. In September 2018, the GAO report found numerous shortcomings in the lead-up to the incident, including problems with identification, detection, segmentation and data governance, as well as a failure to rate-limit database requests.
At the heart of the breach was Equifax's failure to patch a vulnerability in the Apache Struts open source web application framework. Using that vulnerability, attackers found their way into the network and stole data, according to the investigations.
"Good cyber hygiene is not the responsibility of one person, it's the responsibility of the business," Terence Jackson, CISO at the Washington-based security firm Thycotic Software, tells ISMG. "Was the IT staff overwhelmed? Probably. Was there a culture of security? Probably not. Equifax's failures should be a lesson to us all to 'get back to the basics.'"
Sen. Elizabeth Warren, D-Mass., and Rep. Elijah Cummings, D-Md., recently released another GAO report that studied the consequences of the Equifax breach and found that the Federal Trade Commission needs greater authority to impose larger civil penalties following such incidents.
Numerous Problems at Equifax
The Senate committee report breaks down nine issues at Equifax, but the most damning is the first: "Equifax failed to prioritize cybersecurity."
The report says the company did not know the extent of the cybersecurity threats it faced, and it treated good security practices as an afterthought.
"The CIO at Equifax from 2010 to 2017 oversaw the company employees responsible for installing patches but said he was never made aware of the Apache Struts vulnerability and does not understand why the vulnerability 'was not caught.'"
—Senate subcommittee report
The subcommittee's investigators found that Equifax did not have a written corporate policy to address the patching of critical vulnerabilities in the software it used until 2015. That same year, the company conducted an audit, finding 8,500 vulnerabilities within its IT networks, including over 1,000 listed as critical, high or medium.
That same audit found that Equifax did not follow a schedule to patch these vulnerabilities as detailed in its own company policy, the report found.
The audit "also found that the company had a reactive approach to installing patches and used what the auditors called an 'honor system' for patching that failed to ensure that patches were installed. The audit report also noted that Equifax lacked a comprehensive IT asset inventory, meaning it lacked a complete understanding of the assets it owned," according to the Senate report.
No other audit was conducted until after the 2017 breach, the report finds.
Inability to Follow the Policy
The Equifax IT team learned of the critical vulnerability in Apache Struts on March 8, 2017, from the U.S. Computer Emergency Readiness Team and the Department of Homeland Security. Under company policy, this should have been patched within 48 hours, but it was not, according to the report.
The report also says that the Apache Struts vulnerability was discussed at monthly meetings in March and April of 2017, and more than 400 employees received the alert from CERT. But the patching issue apparently was dismissed or ignored, with critical executives skipping the briefings and the company CIO saying that patching was a "lower-level responsibility that was six levels down from him," the report states.
A key Equifax developer responsible for Apache Struts did not receive the alert about the vulnerability because their manager did not forward the notice, the report points out. At the same time as the alert went out, the company revamped its policies to address vulnerabilities and patching. The subcommittee report found this gave Equifax a false sense of security that it had addressed numerous patching and security issues.
Chris Morales, head of security analytics at Vectra Networks, a San Jose, California-based threat detection and response firm, tells ISMG that even companies with better patch management systems sometimes miss patches.
"Even with a good patch management strategy in place, trying to get 100 percent complete coverage is futile," Morales says. "Then there are the vulnerabilities that we don't know about. At some point, attacks succeed. We can slow attacks down, but we can't stop them completely. Something always finds a way through."
Failure to Update SSL Certificates
The Senate investigation also found that Equifax allowed eight Secure Sockets Layer certificates to expire in November 2016. It took until the night of July 29, 2017, to replace these certificates, including one for an online dispute portal that the attackers used to penetrate the network on May 13, 2017.
For 78 days between March and July of that year, the attackers had access to the Equifax network through this portal.
Once the new SSL certificates were installed in July 2017, the security team immediately noticed traffic coming from an IP address in China, where the company did not have a business presence. The unpatched Apache Struts vulnerability allowed the attackers to take advantage of the expired SSL certificate and gave them access to the network, the report finds.
Once inside the network, the attackers found databases that contained unencrypted usernames and passwords, which gave them further access to customers' Social Security numbers, birth dates, addresses, as well as driver's license and credit card numbers, in some cases.
Storing unencrypted passwords was the norm at Equifax, the report says. "Equifax told the subcommittee that it decided to structure its networks this way due to its effort to support efficient business operations rather than security protocols," according to the report.
Equifax's two main competitors, TransUnion and Experian, received notifications about the Apache Struts vulnerability at the same time as Equifax, the report notes. These companies responded within days and began making fixes, with the Experian IT team taking a server offline to patch it, according to the report.
Internal Documents Missing
The Senate committee could have delved deeper into the issue, but investigators found that Equifax disposed of documents around the same time as the breach happened.
Equifax employees used Microsoft Lync to chat internally about the breach, but these conversations were not retained, the report notes. The company's policy was to dispose of the Lync chats after a short time, and the software's default was set to that preference.
After the breach was discovered on July 29, 2017, Equifax's legal department issued an order in August to retain the chat logs, but the default setting was not changed until mid-September, depriving investigators of crucial documents between the discovery of the breach and the first public announcements, the report adds.
The subcommittee report also notes that Equifax waited six weeks to inform the public that the company has been breached and personally identifiable information taken. All 50 states, plus the District of Columbia, have different standards for when consumers should be notified of a breach, which can create confusion for companies following an incident, the report acknowledges.
Some Equifax executives told investigators that they believed the company did all it could to prevent the breach once the vulnerability was known, according to the report.
"The CIO at Equifax from 2010 to 2017 oversaw the company employees responsible for installing patches but said he was never made aware of the Apache Struts vulnerability and does not understand why the vulnerability 'was not caught,'" the report finds. "He does not think Equifax could have done anything differently."