Equifax’s Senate Investigation: What Went Wrong?
Remember Equifax? The ill-fated credit monitoring company, which fell to massive cyberattacks. The United States Senate Committee on Homeland Security and Governmental Affairs released their committee report titled: “How Equifax Neglected Cybersecurity and Suffered A Devastating Data Breach”, containing the result of its investigation on how Equifax fell from grace and was forced to file bankruptcy. The Senate report has similarities with the committee report made by the House of Representative’s.
The blame goes to Equifax, as their employees were not aware of the weakness of the very system they work on every day. “The usernames and passwords the hackers found were saved on a file share by Equifax employees. Equifax told the Subcommittee that it decided to structure its networks this way due to its effort to support efficient business operations rather than security protocols,” said the Senate report.
The Apache Stratus system they were heavily depending on were not patched fast enough, hence an exploit became possible at the expense of the customers. It was detailed in the report that then-CEO Richard Smith only took notice of the issue Jan 31, 2017, two days after the breach actually happened on July 29. The CEO is seen showing negligence about his responsibilities as it took until August 22, almost a month later for him to inform the board-of-directors about the massive data breach. After that late notification, the company itself took their sweet time until September 7 to officially disclose to the public what happened 6-weeks prior.
The Senate is convinced that Equifax has made serious negligence towards its customers, as they have not taken any patching work for their vulnerable Apache Struts system. Added the incompetence of their leaders to act on the issue at a reasonable amount of time. “The Director of Global Threats and Vulnerability Management from 2014 to 2017 said ‘security wasn’t first’ at Equifax before the data breach, but that the data breach ‘made everyone focus on it more.’ The former Countermeasures Manager in place from 2016 to 2017 said he believes the response to the vulnerability was ‘not only defensible but justifiable.’ The CIO at Equifax from 2010 to 2017 oversaw the company employees responsible for installing patches but said he was never made aware of the Apache Struts vulnerability and does not understand why the vulnerability ‘was not caught.’ He does not think Equifax could have done anything differently,” explained in the report.
Aside from staff and leadership negligence, the company is also questioned for being irresponsible when it comes to their SSL certificate. Equifax has ignored the expiration of their SSL certificate, which could have helped with lessening the vulnerability of their Apache Struts system. The Senate is now strongly recommending for Congress as a whole to pass legislation requiring both private and public entities handling customer data to take care of their cybersecurity risks. Federal law needs to pass which will cover all companies with a reasonable level of scrutiny, so as not to repeat the embarrassing story similar to Equifax.