It took Equifax 76 days to detect the massive 2017 data breach, despite the fact that attackers had conducted roughly 9,000 unauthorized queries on its databases, according to a new report from the U.S. Government Accountability Office (GAO).
In mid-May 2017, malicious actors exploited a known vulnerability in the Apache Struts development framework to gain access to Equifax systems. The company said the breach affected roughly 145 million customers – mostly in the U.S., but also in Canada and the United Kingdom. The incident resulted in social security numbers, dates of birth, email addresses, addresses, driver’s license numbers, payment cards, dispute documents, and other data getting compromised.
Now, roughly one year after the breach came to light, the GAO published a report detailing the Equifax breach. The agency’s report, commissioned by several U.S. senators and representatives, is based on documents from Equifax and the cybersecurity consultants called in by the company following the breach, public statements filed by Equifax, and documents from the Internal Revenue Service (IRS), Social Security Administration (SSA), and U.S. Postal Service (USPS).
According to the GAO report, attackers started scanning Equifax’s systems for the Struts vulnerability just a few days after the existence of the security hole was made public. One of the affected systems was an online dispute portal, on which the attackers gained the ability to execute system-level commands. That enabled them to start querying tens of databases in an effort to find personally identifiable information (PII).
Equifax’s security systems not only failed to detect the Struts vulnerability in the online portal, they also failed to detect the attackers once they gained access.
The GAO says the hackers executed roughly 9,000 database queries, some of which returned personal information. The breach was ultimately detected by the company’s security team during routine checks.
“As reported by Equifax, a network administrator conducting routine checks of the operating status and configuration of IT systems discovered that a misconfigured piece of equipment allowed attackers to communicate with compromised servers and steal data without detection. Specifically, while Equifax had installed a device to inspect network traffic or evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected,” the GAO report reads.
The misconfiguration was caused by a digital certificate that had expired 10 months before the breach occurred, which allowed the attackers to run commands and exfiltrate data over an encrypted connection without being detected.
The investigation that followed the breach also revealed that the credit reporting agency had failed to implement proper network segmentation, enabling malicious actors to access many databases beyond those related to the online dispute portal that they initially hacked.
Another problem highlighted in the report is related to the fact that credentials for accessing multiple databases were stored without being encrypted in one database that the attackers accessed.
The GAO pointed out that the 9,000 queries run by the attackers showed the lack of restrictions for the frequency of database queries – the number of queries conducted for normal operations would have been much smaller.
The report notes that the IRS, SSA and USPS, which conducted their own investigations into the incident, made some modifications to their contracts with Equifax – they changed notification requirements for future breaches – and the IRS even terminated one of its contracts.
However, following the GAO report, many rushed to point out that no real actions were taken against Equifax.
The Consumers Union, the advocacy division of Consumer Reports, noted that not much has changed since the incident became public.
“Americans remain largely in the dark about the practices of the credit reporting industry—and, more generally, largely unable to control the use of their personal information,” the organization said. “Equifax itself has suffered minimal consequences and continues to do business more or less as before. And the legal and regulatory system governing the credit reporting industry and data security more broadly remains inadequate, despite some recent progress.”
Senator Elizabeth Warren, one of the officials who commissioned the GAO report and who a few months ago published a report of her own, commented, “One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information – and the Trump Administration and Republican-controlled Congress have done nothing.”