US lawmakers say that credit reporting agency Equifax’s security practices and systems were both sub-par and out of date.
The Equifax data breach in September 2017 affected about 148m customers, mostly in the US, but some in the UK and Canada. Data stolen in the incident included credit card information, certain dispute documents, social security numbers and addresses, among other information.
A 14-month investigation found the company failed to appreciate and mitigate basic security risks. The culmination of the investigation is a 96-page report, published by the House Oversight and Government Reform Committee Republicans on 10 December.
Company structure issues
The report traced the breach to problems in the company structure. A communication breakdown caused an issue between IT policy development and IT operations, leading to delayed patching of critical systems. One vulnerability was not patched for 19 months.
The attack itself went on for 76 days and extracted unencrypted data from the company systems a staggering 265 times. According to the report, the company was well aware of its problems in patching flaws in a timely manner, but did not endeavour to fix these issues.
Equifax failed to patch a disclosed Apache Struts web server vulnerability, one that US Homeland Security had previously issued a warning about. This unpatched server was powering the decades-old web-facing system that let customers check their credit rating and was used by the attackers to gain access to private data. In total, hackers were able to access more than 48 databases containing customer data, again unencrypted.
The report said: “Equifax did not see the data exfiltration because the device used to monitor [the vulnerable server’s] network traffic had been inactive for 19 months due to an expired security certificate.” This certificate was not updated for a further two months, at which point staff noticed suspicious web traffic immediately. The report classed the breach as “entirely preventable”.
Customer care under fire
The way in which Equifax dealt with the issues after the breach was disclosed also came in for some criticism. A website fielding customer queries was impersonated while the original crashed consistently. Meanwhile, it was reported that call centres were overwhelmed and many basic questions went unanswered.
Equifax spokesperson Wyatt Jefferies said: “We are deeply disappointed that the committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information.
“During the few hours we were given to conduct a preliminary review, we identified significant inaccuracies and disagree with many of the factual findings.”
Many people are wondering whether the recommendations outlined in the report will be implemented in full by Equifax, particularly as the US is still figuring out how to update laws and regulations to enforce recommendations and manage such events in the future.