A sobering House Oversight Committee report released this week has helped illustrate just how out of date systems at Equifax, the consumer credit reporting agency that was breached last year, were.
The data breach, which the report says could have been prevented, was one of the largest in U.S. history, leaking the sensitive data of 148 million consumers, not just in the U.S. but also in Canada and the U.K. Among the data exposed were individuals' names, dates of birth, Social Security numbers, address information, gender, phone number, driver’s license numbers, email addresses, payment card numbers and expiration dates, TaxID, and driver’s license states.
According to the 96-page report, the company’s IT systems had countless shortcomings. Yes, Equifax failed to patch a critical vulnerability in Apache Struts, something that left its systems exposed for 145 days. But per the House Committee, the company also failed to renew 324 security certificates, including 79 that were used to monitor business critical domains. The report doesn't downplay the issues around Equifax's patching process. In fact it makes light of the fact the company knew there were deficiences with the process and actions were needed to make it effective; Equifax just failed to "establish a mechanism to ensure accountability and compliance."
The report also makes it sound as if Equifax's Achilles' heel was failing to update a security certificate for its SSL Visibility (SSLV) appliance, a device used to monitor network traffic leaving ACIS, its Automated Consumer Interview System. The SSL certificate had been expired for 19 months, eliminating the company's ability to visualize the data being exfiltrated from the environment.
"Had Equifax implemented a certificate management process with defined roles and responsibilities, the SSL certificate on the device monitoring the ACIS platform would have been active when the intrusion began on May 13, 2017. The company would have been able to see the suspicious traffic to and from the ACIS platform much earlier–potentially mitigating or preventing the data breach," the report reads.
After exploiting the Struts vulnerability and securing access to the ACIS environment, attackers were able to run 9.000 queries, 265 that returned datasets containing personally identifiable information (PII). It wasn't until July 29, 2017, 76 days after the attack started, that the company updated the certificate and noticed the suspicious web traffic.
None of the PII contained in the datasets was encrypted at rest, according to one part of the report, which cites a Digital Guardian blog that explains the difference between data at rest and data in transit.
By the numbers, the Equifax story is huge but in many ways it’s the same old story.
It’s a constant struggle for IT admins to block and tackle threats. Equifax had it even harder by being forced to work on a complex legacy IT system, originally built in the 1970s, that made it difficult to scan, patch, and modify effectively. The report points out that Equifax knew so little about its legacy system that its patch management policy relied on employees to know the source and version of all software running on certain applications so they could update each manually.
When it comes down to it, Equifax lacked a robust data security infrastructure, which opened the door to risk.
Credit reporting agencies, because of the large amount of sensitive personal data they process, should "have a heightened responsibility to protect consumer data by providing best-in-class data security," the report says, adding that all companies that hold sensitive consumer data, not just credit reporting agencies, need to implement modernized IT solutions.
What happened to Equifax could easily happen to any company. There is no silver bullet to entirely prevent data breaches like this but there are tools and data protection technologies that can ensure companies like Equifax are better prepared the next time this happens. Data loss prevention tools can provide visibility across the endpoint, regardless of where data resides, and help secure data at rest, in motion, and in use. With the right controls in place, it's likely data loss prevention could have helped prevent or reduce the amount of data exfiltrated and ultimately, the damage done.
