Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:42 PM

Equifax Breach Underscores Need for Accountability, Simpler Architectures

A new congressional report says the credit reporting firm's September 2017 breach was 'entirely preventable.'

Equifax could have prevented a breach of its systems and the resulting leak of sensitive information on nearly 148 million people by focusing more heavily on security, creating a clear hierarchy of responsibilities, and reducing complexity in its infrastructure, a congressional committee concluded in a report released on Dec. 10. 

Calling the September 2017 breach "entirely preventable," the US House of Representatives' Committee on Oversight and Government Reform placed responsibility for the incident squarely on Equifax's shoulders. The committee's findings come 15 months after the breach, during which time the credit reporting agency has largely escaped investigation or fines. 

"A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the report stated. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data."

While the report focuses on a set of common recommendations—including increasing transparency for consumers and calling for a review of government agencies' ability to investigate breaches - security experts say companies should focus on policy and process initiatives to improve the ability to detect and eliminate future breach risks. 

"In light of this breach and report, the senior leadership needs to be asking if the organization's cybersecurity is as effective as originally anticipated," says Jesse Dean, senior director of solutions at TDI, a security services firm. "This report underscores the importance of fundamental security practices—not artificial intelligence or machine learning. Executives are responsible for ensuring that basic tenants such as inventory and vulnerability management are being performed and align with organizational policies." 

Security and policy experts expect little to change on the policy front in the US, but underscored two findings of the report. 

Don't Expect Major Legislation or Investigations

Despite the significance of the data leaked in the breach and the total number of records—more than half of all US adults—very little has changed since Equifax announced the incident. The Federal Trade Commission has largely declined to investigate, instead posting information for consumers to avail themselves of the free credit monitoring and noting that credit freezes, where consumers can prevent anyone without a PIN from accessing their credit, are now free to turn off or on.

The Consumer Financial Protection Bureau also has largely been silent on the breach, following the appointment of former OMB Director Mike Mulvaney to head the agency. He has failed to pursue a full investigation of the Equifax breach, according to a February report in Reuters.

The reaction has largely disappointed consumer advocates, says Ted Rossman, an industry analyst with CreditCards.com.

"I really thought at the time that this would be the sea change, finally, because this seemed like something bigger than anything we had seen before, because it was about a company in charge of consumers' data that had a data breach," said Rossman. "Now, more than a year later, Equifax has gotten off pretty easy. It seems like the climate for reform wasn't there, and I don't see it happening in the near future." 

The stock market initially punished Equifax: following the announcement of its breach in Sept. 2017, Equifax's stock price plummeted more than a third of its value to from more than $141 to less than $93 per share. Nearly a year later, Equifax's stock had nearly recovered, but plunged again in late October 2018 to under $97 per share, where the stock has languished following a weak third-quarter earnings report.

Organization Disorganization

Equifax had a convoluted information-technology and information-security organization, where the chief security officer did not report to the chief information officer or the CEO, but instead to the chief legal officer.

This siloed approach to responsibilities directly led to a series of stumbles that resulted in the breach, the report stated. Graeme Payne, Equifax's senior vice president and CIO for global corporate platforms at the time, was fired by Equifax's board, although he did not have direct responsibility for seeing that the vulnerable system was updated.

"The functional result of the CIO/CSO structure meant IT operational and security responsibilities were split, creating an accountability gap," the congressional report stated, adding that "information rarely flowed from one group to the other. Collaboration between IT and Security mostly occurred when required, such as when Security needed IT to authorize a change on the network. Communication and coordination between these groups was often inconsistent and ineffective at Equifax."

Aside from establishing clear areas of responsibility, companies should increase their visibility into the security of their IT networks, experts say. For Equifax, because of the company's complex IT infrastructure, both the patch management and certificate management processes failed. The company could not initially determine that the vulnerable software ran on the affected server, and due to an expired SSL certificate, could not detect the attack traffic because it was encrypted.

"Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging," the report found. "Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach."

In the end, companies need to focus on improving security, experts say.

For consumers, however, the future is less certain.

"As more and more companies move to monetize data and customer behaviors, a lack of political will and a lack of consumer pressure means that your data remains at risk," Mark Nunnikhoven, vice president of cloud research at Trend Micro stated in a blog post on the breach. "Regulation is always challenging but it's clear that the market isn't providing a solution as few of the affected individuals have a relationship with the companies holding the data."

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-27
checkpath in OpenRC through 0.42.1 might allow local users to take ownership of arbitrary files because a non-terminal path component can be a symlink.
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
PUBLISHED: 2020-10-26
Ruckus through is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
PUBLISHED: 2020-10-26
Ruckus vRioT through has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.