Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)
Equifax Ex-CEO Blames 'Human Error, Tech Failures' for BreachRichard Smith Offers Explanation in Written Testimony Submitted to Congress
"Human error and technology failures" led to the massive Equifax breach, the company's former CEO says in written testimony submitted in advance of a Tuesday Congressional hearing.
"These mistakes - made in the same chain of security systems designed with redundancies - allowed criminals to access over 140 million Americans' data," says Richard Smith, the former CEO and chairman of the board at the embattled credit-reporting bureau in written testimony submitted to the House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. The panel's hearing slated for Tuesday is one of three Congressional committee hearings at which Smith is set to testify this week (see Ousted Equifax CEO Faces 3 Congressional Hearings).
In his testimony, Smith provides the Congressional committee with a chronology of the incident.
On March 8, the Department of Homeland Security's Computer Emergency Readiness Team sent Equifax and others a notice of the need to patch a particular vulnerability in certain versions of Apache Struts software, which Equifax used in its online disputes portal, a website where consumers can dispute items on their credit report, he writes.
"On March 9, Equifax disseminated the U.S. CERT notification internally by email requesting that applicable personnel responsible for an Apache Struts installation upgrade their software," he notes in the testimony. "Consistent with Equifax's patching policy, the Equifax security department required that patching occur within a 48-hour time period. We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel."
On March 15, Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue identified by U.S. CERT, he writes. "Unfortunately, however, the scans did not identify the Apache Struts vulnerability," he acknowledges. "Equifax's efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax web application much longer than it should have. ... It was this unpatched vulnerability that allowed hackers to access personal identifying information."
Based on the investigation, Smith writes, it appears that the first date the attacker accessed sensitive information may have been on May 13, but the company was not aware of that access at the time. "Between May 13 and July 30, there is evidence to suggest that the attackers continued to access sensitive information, exploiting the same Apache Struts vulnerability. During that time, Equifax's security tools did not detect this illegal access."
On July 29, however, Equifax's security department observed suspicious network traffic associated with the consumer dispute website - where consumers could investigate and contest issues with their credit reports, he writes.
"In response, the security department investigated and immediately blocked the suspicious traffic that was identified," he says. The company's security department continued to monitor network traffic and observed additional suspicious activity on July 30. In response, they took the web application completely offline that day. "The criminal hack was over, but the hard work to figure out the nature, scope, and impact of it was just beginning.
"I was told about the suspicious activity the next day, on July 31, in a conversation with the CIO. At that time, I was informed that there was evidence of suspicious activity on our dispute portal and that the portal had been taken offline to address the potential issues. I certainly did not know that personal identifying information had been stolen, or have any indication of the scope of this attack."
On Aug. 2, Equifax retained a law firm and hired forensic consulting firm Mandiant to investigate the breach, and also alerted the FBI about the investigation. "Over the next several weeks, working literally around the clock, Mandiant and Equifax's security department analyzed forensic data seeking to identify and understand unauthorized activity on the network," Smith writes, then describing the next series of events. He confirms that the investigative team, by Sept. 4, had created a list of about 143 million consumers whose data apparently was stolen.
"I understand that Equifax kept the FBI informed of the progress and significant developments in our investigation, and felt it was important to notify the FBI before moving forward with any public announcement," Smith adds. The company announced the breach on Sept. 7.
Follow-On Security Steps
Describing security steps Equifax has taken in the wake of the breach, Smith writes: "In recent weeks, vulnerability scanning and patch management processes and procedures were enhanced. The scope of sensitive data retained in backend databases has been reduced so as to minimize the risk of loss. Restrictions and controls for accessing data housed within critical databases have been strengthened. Network segmentation has been increased. ... Additional web application firewalls have been deployed. ..."