Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:42 PM

Equifax Breach Underscores Need for Accountability, Simpler Architectures

A new congressional report says the credit reporting firm's September 2017 breach was 'entirely preventable.'

Equifax could have prevented a breach of its systems and the resulting leak of sensitive information on nearly 148 million people by focusing more heavily on security, creating a clear hierarchy of responsibilities, and reducing complexity in its infrastructure, a congressional committee concluded in a report released on Dec. 10. 

Calling the September 2017 breach "entirely preventable," the US House of Representatives' Committee on Oversight and Government Reform placed responsibility for the incident squarely on Equifax's shoulders. The committee's findings come 15 months after the breach, during which time the credit reporting agency has largely escaped investigation or fines. 

"A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the report stated. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data."

While the report focuses on a set of common recommendations—including increasing transparency for consumers and calling for a review of government agencies' ability to investigate breaches - security experts say companies should focus on policy and process initiatives to improve the ability to detect and eliminate future breach risks. 

"In light of this breach and report, the senior leadership needs to be asking if the organization's cybersecurity is as effective as originally anticipated," says Jesse Dean, senior director of solutions at TDI, a security services firm. "This report underscores the importance of fundamental security practices—not artificial intelligence or machine learning. Executives are responsible for ensuring that basic tenants such as inventory and vulnerability management are being performed and align with organizational policies." 

Security and policy experts expect little to change on the policy front in the US, but underscored two findings of the report. 

Don't Expect Major Legislation or Investigations

Despite the significance of the data leaked in the breach and the total number of records—more than half of all US adults—very little has changed since Equifax announced the incident. The Federal Trade Commission has largely declined to investigate, instead posting information for consumers to avail themselves of the free credit monitoring and noting that credit freezes, where consumers can prevent anyone without a PIN from accessing their credit, are now free to turn off or on.

The Consumer Financial Protection Bureau also has largely been silent on the breach, following the appointment of former OMB Director Mike Mulvaney to head the agency. He has failed to pursue a full investigation of the Equifax breach, according to a February report in Reuters.

The reaction has largely disappointed consumer advocates, says Ted Rossman, an industry analyst with CreditCards.com.

"I really thought at the time that this would be the sea change, finally, because this seemed like something bigger than anything we had seen before, because it was about a company in charge of consumers' data that had a data breach," said Rossman. "Now, more than a year later, Equifax has gotten off pretty easy. It seems like the climate for reform wasn't there, and I don't see it happening in the near future." 

The stock market initially punished Equifax: following the announcement of its breach in Sept. 2017, Equifax's stock price plummeted more than a third of its value to from more than $141 to less than $93 per share. Nearly a year later, Equifax's stock had nearly recovered, but plunged again in late October 2018 to under $97 per share, where the stock has languished following a weak third-quarter earnings report.

Organization Disorganization

Equifax had a convoluted information-technology and information-security organization, where the chief security officer did not report to the chief information officer or the CEO, but instead to the chief legal officer.

This siloed approach to responsibilities directly led to a series of stumbles that resulted in the breach, the report stated. Graeme Payne, Equifax's senior vice president and CIO for global corporate platforms at the time, was fired by Equifax's board, although he did not have direct responsibility for seeing that the vulnerable system was updated.

"The functional result of the CIO/CSO structure meant IT operational and security responsibilities were split, creating an accountability gap," the congressional report stated, adding that "information rarely flowed from one group to the other. Collaboration between IT and Security mostly occurred when required, such as when Security needed IT to authorize a change on the network. Communication and coordination between these groups was often inconsistent and ineffective at Equifax."

Aside from establishing clear areas of responsibility, companies should increase their visibility into the security of their IT networks, experts say. For Equifax, because of the company's complex IT infrastructure, both the patch management and certificate management processes failed. The company could not initially determine that the vulnerable software ran on the affected server, and due to an expired SSL certificate, could not detect the attack traffic because it was encrypted.

"Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging," the report found. "Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach."

In the end, companies need to focus on improving security, experts say.

For consumers, however, the future is less certain.

"As more and more companies move to monetize data and customer behaviors, a lack of political will and a lack of consumer pressure means that your data remains at risk," Mark Nunnikhoven, vice president of cloud research at Trend Micro stated in a blog post on the breach. "Regulation is always challenging but it's clear that the market isn't providing a solution as few of the affected individuals have a relationship with the companies holding the data."

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: What Virtual Reality phishing attacks will look like in 2030.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
PUBLISHED: 2021-05-11
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
PUBLISHED: 2021-05-11
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.
PUBLISHED: 2021-05-11
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.