A Congressional investigation has concluded that the devastating 2017 breach at Equifax, which affected 148 million people, was “entirely preventable.” The 96-page report is an important case study in how a lot of small decisions can add up over time, with catastrophic results.
Had the company invested in updating its legacy infrastructure and stayed current with software patches, the attackers would not have been able to successfully steal personal information for so many consumers, the House Oversight and Government Reform Committee said in its report, the culmination of a 14-month investigation. The report confirmed many things that were already known, such as the fact that Equifax had not patched the vulnerability in Apache Struts, months after the patch was made available and the Department of Homeland Security had released an advisory about the flaw. The report took all those facts and painted a picture of a company where growing the business was paramount, often at the expense of security.
“Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented,” said the House Oversight and Government Reform Committee said.
Growth Over Security
The committee faulted former Equifax CEO Richard Smith for his “aggressive growth strategy” as it increased the company’s security risk. There were numerous recent acquisitions over a short period time—18 in all—and the company didn’t take into account that its security program was not up to the task of protecting the data it was collecting on millions of consumers and businesses.
"While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks," the committee found.
The report noted that Smith had said the company held “almost 1,200 times” the data held in the Library of Congress every day, but the company had “failed to implement an adequate security program to protect this sensitive data.”
It wasn’t just the data that wasn’t being protected. The acquisitions meant Equifax had a sprawling infrastructure with a mix of IT systems, some that were outdated. The system that the attackers gained access to—the Equifax Automated Consumer Interview System (ACIS), which allowed customers to dispute incorrect information on their credit file—had been built in the 1970s, the House report said. The system did not have "file integrity monitoring enabled,” leaving the company unable to detect the attackers’ malicious scripts and database activities.
Technology debt is a big problem for enterprises, especially when IT teams have to prioritize whether or not to spend the time and resources modernizing legacy systems or address something else that has a specific business impact. Given limited resources, legacy systems generally fall down the list of important things that need to get done. Equifax is not unusual in this choice—the city of Atlanta learned the hard way that attackers can use legacy systems to gain access to the network.
“In light of this breach and report, the senior leadership needs to be asking if the organization's cybersecurity is as effective as originally anticipated,” said Jesse Dean, a senior security engineer at TDI, a technology consulting company.
The IT operation at Equifax had grown too large too fast, and there was no clear management structure of policies across different departments, the House report said.
A “lack of accountability and no clear lines of authority in Equifax’s IT management structure” meant no one noticed when key security tasks were left undone. For example, the company had allowed over 300 security certificates to expire, including 79 certificates used to monitor business-critical systems. One such expired certificate was for a network monitoring device which would have potentially noticed the data exfiltration. It turned out the device had been inactive for 19 months because of the certificate. Equifax discovered the breach when the certificate was finally updated, and the IT team saw the suspicious web traffic.
Or that the IT team did scan for systems with unpatched Apache Struts, but that the scanning didn’t check the subdirectories.
“Executives are responsible for ensuring that basic tenants such as inventory and vulnerability management are being performed and align with organizational policies," Dean said.
The lack of clear management structure didn’t just cause problems that led to the breach, but made it difficult for the company to identify and notify customers affected by the breach.
When Equifax informed the public of the breach on September 7, the company was unprepared to support the large number of affected consumers," the report said. "The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services.
After the breach, Equifax blamed an IT staffer for not installing the Apache update, but the report makes it clear that there were many more people at fault. The company had performed internal audits which had highlighted issues in its software patching processes and the fact that the ACIS application was not segmented from other databases, despite being on a much more vulnerable server.
"As a result, the attackers used the application credentials to gain access to 48 unrelated databases outside of the ACIS environment," the report found.
Time for New Priorities
The House report blamed the breach on a “culture of complacency” at Equifax, as well as the lack of clear IT leadership that made it easy for mistakes to not be noticed.
However, hindsight is 20/20. How many similarly-situated enterprises can claim that they haven’t prioritized their business goals over security?
The report recommended that credit reporting agencies need to provide consumers with more clarity about what kind of data is being collected, how it is stored, and how it is shared. A parallel report, from the Democrats on the committee, urged Congress to pass a comprehensive notification law to improve how victims are notified, along with an amendment to the Federal Trade Commision Act to “strengthen civil penalties for private sector violations of consumer data security requirements.”
Another recommendation—especially relevant in light of technology debt—was to have companies in the finance and credit sectors prioritize modernizing their IT infrastructure.
No more five-decades-old Solaris systems, please.