By Matthew Dove (Digital Editor)
On March 7, a U.S. Senate committee hearing was convened to pick through the debris of the “devastating data breach” experienced by credit reference agency Equifax in the summer of 2017.
The committee’s findings were as damning as the testimony given by top Equifax execs was nonchalant. The Senate heard how a catalogue of errors made the loss of more than 150 million American’s private information all but inevitable. These failings ranged from instances of individual ineptitude to the kind of systemic indifference and wilful delusion more commonly associated with outfits like Lehman Brothers or CitiBank at the height of the financial crisis.
Unfortunately, the profit-over-process model favoured by the rogues gallery which crippled the
world’s economy in 2008 was alive and well at Equifax a mere 18-months ago. Furthermore, if incumbent CEO Mark Begor’s testimony is anything to go by, it’s still alive and kicking now!
As well as considering Begor’s beliefs, let’s have a gander at the key areas identified in Sen. Tom Carper’s subcommittee report on the subject, How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach.
Equifax Failed to Prioritise Cybersecurity
The ratings giant had “a reactive approach” to patching vulnerabilities in its systems and had no “standalone written corporate policy” for such a process until 2015.
In the lead-up to the breach, an audit revealed an astonishing 8,500 unpatched vulnerabilities, 1,000 of which were deemed “high or medium” risk. Perhaps more worryingly, the audit found that Equifax didn’t have a complete “IT asset inventory”, meaning it didn’t even know which of its systems might be exposed to attack. As Carper notes in the report, “If a vulnerability cannot be found, it cannot be patched.”
No further audits were conducted after 2015 and issues previously raised went unaddressed.
Equifax Could Not Follow Its Own Policies in Patching the Vulnerability That Ultimately Caused the Breach
On March 8, 2017, the U.S. Department of Homeland Security made the agency aware of a flaw in the commonly used web application software, Apache Struts. The flaw had been given the “the highest criticality score possible” by the National Institute of Standards and Technology. The next day, an internal alert was sent to 400 Equifax employees.
No immediate action was taken.
Monthly meetings were held to flag cybersecurity risks but were poorly attended by senior management. Of those interviewed by the subcommittee “none” were a regular feature at these crucial debriefs.
The chief information officer at the time of the 2017 breach, David Webb, distanced himself from the vital work being done by his team, insisting that patching faults was a “lower level responsibility that was six levels down” from him.
The flaw had been given the “the highest criticality score possible” by the National Institute of Standards and Technology.
Tellingly, Webb maintains a healthy buffer between himself and the events of 2017 to this day. The technologist’s LinkedIn page fails to mention any work experience beyond 2010 (when he left Silicon Valley Bank to join Equifax).
That said, he still had a better innings than his successor, Jun Ying, who had his new position “rescinded” when it emerged that he’d divested himself of Equifax stock options shortly before information regarding the breach was made public. He also shares his former boss’s modesty regards his role at Equifax, completely omitting the word “Equifax” from his LinkedIn profile. Of his present role at Keenly Health though, Ying states, “Health tech, IoT, streaming data, ML. Need I say more?” To which the logical response is, err, yes, quite a lot more actually….
Anywho, enough booting dogs whilst they’re down (ample time for that later!), back to our litany of logistical lunacy…
Equifax Failed to Locate and Patch Apache Struts
The Equifax developer who was aware of the company’s use of Apache Struts wasn’t one of the 400 employees who received the alert. His manager, however, was and failed to pass on the information. Oh dear. Clearly, if you spend too much time dealing in 1s and 0s, putting 2 and 2 together can become problematic.
It was also policy for developers to subscribe to push notifications from software vendors on a voluntary basis. The developer with knowledge of Equifax’s Apache Strut exposure didn’t subscribe to notifications from Apache so was entirely unaware of the fault. Oh dear, oh dear.
Equifax Left Itself Open to Attack Due to Poor Cybersecurity Practices
Even if you place the Apache Strut vulnerability to one side, Equifax was a decidedly leaky ship. From November 2016 until July 2017, the blundering behemoth neglected to update expired Secure Sockets Layer (SSL) certificates (which help secure and encrypt online interactions) for its disputes portal. This allowed hackers exploiting Apache Struts’ weakness to pilfer Equifax’s customers data unimpeded for 78 days. For a touch of contemporary context, 2017 also saw Brit Mark Beaumont taking roughly the same amount of time to circumnavigate the planet on a bicycle!
The Damage Done by the Hackers Could Have Been Minimised
Equifax told the subcommittee that it had decided to structure its networks “to support efficient business operations rather than security protocols.”
In other words, once inside, the hackers helped themselves to a free lunch, easily locating “a data repository that … contained unencrypted usernames and passwords.”
Subsequently, the theft of countless “Social Security numbers, birth dates, addresses, and, in some instances, driver’s license and credit card numbers” went undetected.
Equifax Waited Six Weeks Before Notifying the Public It Was Breached
Sorry Senator Carper, could you repeat that?
“Equifax publicly announced the data breach on September 7, six weeks after learning of it and nearly four months after the hacker’s entered Equifax’s network.”
Hmm, I see. It actually sounded much worse the second time. On the bright side, at least Equifax’s customer services department was quick to react to an enquiry we made earlier this year…
Equifax Executives Believe They Did All They Could to Prevent the Breach
It wouldn’t be a hugely damaging corporate scandal without a healthy dose of abdication and the head honchos of Equifax, past and present, didn’t disappoint.
David Webb was left shrugging his shoulders and puzzling why the systemic fallacy “was not caught” whilst the former countermeasures manager defiantly claimed that Equifax’s response was “not only defensible but justifiable.”
It’s one thing for the old guard to remain indignant when presented with their myriad failings but surely the incumbent management, specifically CEO Mark Begor, has something fresh, perhaps even encouraging, to offer?
“The fact that Equifax did not have an impenetrable information security program and suffered a breach does not mean that the company failed to take cybersecurity seriously”
Guess not.
TransUnion and Experian Avoided a Breach
Both of Equifax’s main rivals, TransUnion and Experian, managed to avoid a similar fate, but how? By some Herculean effort? No? Dumb luck or massive expense, then?
Well, not quite…
“Both companies had deployed software to verify the installation of security patches, ran scans more
frequently, and maintained an IT asset inventory.”
TransUnion and Experian implemented basic security measures to safeguard the incredibly sensitive material with which they had been entrusted. Equifax did not.
Peter White (Co-founder and CEO Rethink Technology Research) emphasised this dichotomy when he told TFT that;
“The changes are not excessive and security is not a mystery. There are many companies that can audit and make recommendations, for stronger security, and their cost is not exorbitant, but it can amount to a few percentage points of profit – but if a credit reference agency cannot look after data, which is its lifeblood, then what can it do.
If it had observed basic security protocols and still been hacked, that’s another matter, but in the Equifax case it was clearly a basic lack of care, and less than the minimum standard necessary.”
Equifax Failed to Preserve Key Internal Chat Records
Despite having software requiring more patches than Worzel Gummidge, Equifax went to inordinate lengths to cover one very specific area. Its own arse!
The shame-faced data sieve had policy in place designed to halt the loss of “potentially responsive documents” in the event of a security breach. However, personnel were using Microsoft Lynx – an instant messaging app whose default setting routinely discards old conversations – to discuss the breach.
Equifax considered these exchange’s “disposable” until September 15 (a full 48 days after the hack was discovered) when it decided to start archiving them and changed the app’s settings. With the gate securely bolted and the horse long gone, Equifax had left the subcommittee with a conveniently incomplete record of events to assess.
Despite having software requiring more patches than Worzel Gummidge, Equifax went to inordinate lengths to cover one very specific area. Its own arse!
Carper surmised that the breach was indicative of a “cultural indifference to cybersecurity” at the credit scoring goliath. It’s a conclusion with which Peter White wholeheartedly agrees;
“The senate subcommittee found what most investigations find, which is that because security is a “grudge” purchase, during periods when things are not being hacked, finance guys cut funds to support proper process. It certainly amounts to cultural indifference.”
He continued that;
“Anything less than a senior management cull of Equifax would be, in my view, a betrayal of the customers the company serves.”
It would seem that “cultural indifference”, avarice and institutional arrogance still prevail at corporations whose power and influence remain astronomic. This makes the grim prospect similarly mammoth cockups just as likely now as they were in 2017.
