Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:42 PM

Equifax Breach Underscores Need for Accountability, Simpler Architectures

A new congressional report says the credit reporting firm's September 2017 breach was 'entirely preventable.'

Equifax could have prevented a breach of its systems and the resulting leak of sensitive information on nearly 148 million people by focusing more heavily on security, creating a clear hierarchy of responsibilities, and reducing complexity in its infrastructure, a congressional committee concluded in a report released on Dec. 10. 

Calling the September 2017 breach "entirely preventable," the US House of Representatives' Committee on Oversight and Government Reform placed responsibility for the incident squarely on Equifax's shoulders. The committee's findings come 15 months after the breach, during which time the credit reporting agency has largely escaped investigation or fines. 

"A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the report stated. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data."

While the report focuses on a set of common recommendations—including increasing transparency for consumers and calling for a review of government agencies' ability to investigate breaches - security experts say companies should focus on policy and process initiatives to improve the ability to detect and eliminate future breach risks. 

"In light of this breach and report, the senior leadership needs to be asking if the organization's cybersecurity is as effective as originally anticipated," says Jesse Dean, senior director of solutions at TDI, a security services firm. "This report underscores the importance of fundamental security practices—not artificial intelligence or machine learning. Executives are responsible for ensuring that basic tenants such as inventory and vulnerability management are being performed and align with organizational policies." 

Security and policy experts expect little to change on the policy front in the US, but underscored two findings of the report. 

Don't Expect Major Legislation or Investigations

Despite the significance of the data leaked in the breach and the total number of records—more than half of all US adults—very little has changed since Equifax announced the incident. The Federal Trade Commission has largely declined to investigate, instead posting information for consumers to avail themselves of the free credit monitoring and noting that credit freezes, where consumers can prevent anyone without a PIN from accessing their credit, are now free to turn off or on.

The Consumer Financial Protection Bureau also has largely been silent on the breach, following the appointment of former OMB Director Mike Mulvaney to head the agency. He has failed to pursue a full investigation of the Equifax breach, according to a February report in Reuters.

The reaction has largely disappointed consumer advocates, says Ted Rossman, an industry analyst with CreditCards.com.

"I really thought at the time that this would be the sea change, finally, because this seemed like something bigger than anything we had seen before, because it was about a company in charge of consumers' data that had a data breach," said Rossman. "Now, more than a year later, Equifax has gotten off pretty easy. It seems like the climate for reform wasn't there, and I don't see it happening in the near future." 

The stock market initially punished Equifax: following the announcement of its breach in Sept. 2017, Equifax's stock price plummeted more than a third of its value to from more than $141 to less than $93 per share. Nearly a year later, Equifax's stock had nearly recovered, but plunged again in late October 2018 to under $97 per share, where the stock has languished following a weak third-quarter earnings report.

Organization Disorganization

Equifax had a convoluted information-technology and information-security organization, where the chief security officer did not report to the chief information officer or the CEO, but instead to the chief legal officer.

This siloed approach to responsibilities directly led to a series of stumbles that resulted in the breach, the report stated. Graeme Payne, Equifax's senior vice president and CIO for global corporate platforms at the time, was fired by Equifax's board, although he did not have direct responsibility for seeing that the vulnerable system was updated.

"The functional result of the CIO/CSO structure meant IT operational and security responsibilities were split, creating an accountability gap," the congressional report stated, adding that "information rarely flowed from one group to the other. Collaboration between IT and Security mostly occurred when required, such as when Security needed IT to authorize a change on the network. Communication and coordination between these groups was often inconsistent and ineffective at Equifax."

Aside from establishing clear areas of responsibility, companies should increase their visibility into the security of their IT networks, experts say. For Equifax, because of the company's complex IT infrastructure, both the patch management and certificate management processes failed. The company could not initially determine that the vulnerable software ran on the affected server, and due to an expired SSL certificate, could not detect the attack traffic because it was encrypted.

"Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging," the report found. "Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach."

In the end, companies need to focus on improving security, experts say.

For consumers, however, the future is less certain.

"As more and more companies move to monetize data and customer behaviors, a lack of political will and a lack of consumer pressure means that your data remains at risk," Mark Nunnikhoven, vice president of cloud research at Trend Micro stated in a blog post on the breach. "Regulation is always challenging but it's clear that the market isn't providing a solution as few of the affected individuals have a relationship with the companies holding the data."

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.