Sen. Tom Carper, D-Delaware, and Rob Portman, R-Ohio, published March 6 a new report detailing the repeated failures over years on the part of Equifax that led to a devastating data breach in 2017.
Equifax failed to adequately protect the sensitive information of more than 145 million Americans, including information on driver’s licenses, passports and Social Security numbers.
The latest PSI report makes clear that, for years, Equifax neglected cybersecurity and, thus, left itself — and millions of American households — open to attack. Additionally, the damage done by the hackers could have been minimized if Equifax had prioritized widely agreed upon cybersecurity protocols. As a result of the company’s poor cybersecurity practices, hackers had access to consumers’ personal information for nearly four months before Equifax even notified the public.
By comparison, TransUnion and Experian, Equifax’s competitors, received the same information regarding potential vulnerabilities, yet there is no indication that either were attacked by hackers seeking to exploit the vulnerabilities.
PSI is holding a hearing titled, “Examining Private Sector Data Breaches,” at which the CEOs of Equifax and Marriott International will testify.
The report’s key findings include:
— The American public may never know the full story behind the 2017 Equifax breach because company officials failed to retain key records from that time. The records of extensive internal discussions among Equifax officials about the data breach in real time were determined by the company to be disposable.
— After being warned by the Department of Homeland Security about a critical vulnerability in certain versions of Apache Struts — a widely used piece of web application software — and being informed that the vulnerability was easy to exploit, Equifax conducted scans of its network, but none of the scans identified the vulnerable version of Apache Struts running on Equifax’s network. Additionally, Equifax officials knew the limitations of these scans since the company was aware it lacked a full inventory of its IT assets.
— Equifax staff who were aware of Equifax’s use of Apache Struts were left off of the incomplete email distribution list used to circulate information about the Apache Struts vulnerability.
— Because Equifax decided to structure its networks in such a way as to support efficient business operations rather than security protocols, the hackers were able to access significant amounts of data, including even more unencrypted usernames and passwords that had been stored by Equifax employees on a file share.
— Equifax allowed a key tool used to monitor IT assets for malicious web traffic to expire in November 2016. As a result, the hackers’ presence in the company’s network went entirely undetected for 78 days.
— Because Equifax was unaware of all the IT assets it owned, unaware of the need to patch the Apache Struts vulnerability, and unable to detect attacks on key portions of its network, hackers had access to consumers’ personal information for nearly four months before the company informed the public.
— In interviews, the subcommittee conducted with multiple current and former Equifax employees from the information security and IT departments, most believed that the actions taken were an appropriate response to the Apache Struts vulnerability.
— TransUnion and Experian deployed software to verify the installation of security patches, ran scans more frequently and maintained an up-to-date IT asset inventory. There is no indication that either was attacked by hackers seeking to exploit the Apache Struts vulnerability.
A copy of the report is available at bit.ly/2EThA4A.