Equifax Could Have Prevented Massive Data Breach, Report From U.S. House Says
The massive Equifax data breach that impacted 148 million Americans could have been prevented, the United States House of Representatives’ Oversight and Government Reform Committee Republicans says, echoing what has been widely known since shortly after the breach was disclosed.
In September 2017, the U.S. credit reporting agency (and one of the largest consumer reporting agencies (CRA) in the world) revealed that a cybersecurity incident impacted 143 million of its consumers, but increased the number only several weeks later. A total of 148 million were impacted.
The company confirmed last year that an Apache Struts vulnerability that had been exploited in the wild for months was used to gain access to its systems. Equifax was even warned about the vulnerability, but failed to properly patch it.
The attack on Equifax started in May, but was only detected in July, although the adversaries sent 9,000 queries on 48 unrelated databases during that time.
The newly published staff report (PDF) from the U.S. House Committee emphasizes that the data breach could have been avoided had Equifax taken necessary action in due time.
The critical Apache Struts vulnerability abused in the incident was publicly disclosed on March 7 last year, and the Department of Homeland Security alerted Equifax on this security flaw the next day. Equifax’s Global Threat and Vulnerability Management (GTVM) team sent the alert to over 400 people, instructing them to apply the necessary patch, and also held a meeting on March 16th about the vulnerability.
Despite that, the company did not fully patch its systems, the report says. Equifax’s Internet-facing Automated Consumer Interview System (ACIS), which was running a vulnerable version of Apache Struts, was not updated, leaving the system and data exposed.
This allowed adversaries to start their assault on Equifax on May 13, drop web-based backdoors to obtain remote control, and find a file containing unencrypted credentials they later used to access sensitive data outside of the ACIS environment.
The attackers were able to successfully locate unencrypted personally identifiable information (PII) data 265 times and transferred the data without being detected, because the device monitoring ACIS network traffic “had been inactive for 19 months due to an expired security certificate,” the report reveals.
Only after updating the expired certificate on July 29, 2017, was Equifax able to identify the suspicious web traffic from an IP address originating in China.
“The suspicious traffic exiting the ACIS application potentially contained image files related to consumer credit investigations. Equifax discovered it was under active attack and immediately launched an incident response effort,” the report reveals.
In the following weeks, the company discovered several ACIS code vulnerabilities and additional suspicious traffic, and shut down the ACIS web portal on July 30 for emergency maintenance, which ended the attack.
In early August, the company engaged Mandiant to conduct a forensic investigation of the incident and also contacted outside counsel and the Federal Bureau of Investigation (FBI). By late August 2017, Mandiant confirmed the attackers were able to access consumer PII, and Equifax started preparation for the public notice of the breach.
Although Equifax created a website for individuals to find out whether they were affected and also began efforts to set up a call center with 1,500 temporary employees, the company was unprepared for the sheer amount of traffic the website and the call center received once the breach was made public on September 7.
The report also highlights two points of failure that could have allowed Equifax to mitigate or even prevent the incident.
One was a lack of accountability and no clear lines of authority in IT management structure, which resulted in execution gap between IT policy development and operation. This led to the company allowing over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.
The other was Equifax’s aggressive growth strategy (it acquired multiple companies and information technology (IT) systems over the course of several years) and accumulation of data, which resulted in a complex IT environment, making security challenging.
Equifax had critical IT applications running on custom-built legacy systems and was apparently aware of the inherent security risks of operating legacy IT systems, as it had already started an infrastructure modernization effort. That, however, came too late to prevent the breach.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security
issues prior to this cyberattack, the data breach could have been prevented,” the report says.