Postmortem: Multiple Failures Behind the Equifax Breach76-Day Breach Slowly Exfiltrated Data From 51 Databases, GAO Report Reveals
Patch or perish. That's the short takeaway from the devastating data breach that swamped credit bureau Equifax last year.
A newly released report on the Equifax breach from the U.S. Government Accountability Office, titled "Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach," provides new details into how the breach occurred and what Equifax could have done to have helped prevent or more rapidly mitigate it, centering on failures involving detection, segmentation and data governance (see Building an Effective Enterprisewide Security Program).
Equifax's latest count of breach victims includes at least 145.5 million U.S. consumers for whom PII was compromised. The credit bureau has also said that 15.2 million records pertaining to U.K. residents were exposed, putting 860,000 British consumers at risk, and said that 8,000 Canadian residents' personal details were also exposed.
5 Key Factors Contributed
The GAO report identifies five key factors that contributed to the breach: identification, detection, segmentation and data governance, as well as a failure to rate-limit database requests. If properly handled, any one of those areas might have enabled Equifax to have more quickly identified and contained the intrusion that led to the breach.
GAO says it conducted the review "to report on actions taken by Equifax and [federal] agencies in response to the breach" at the request of four lawmakers: Sen. Elizabeth Warren, D-Mass.; Sen. Ron Wyden, D-Ore.; Rep. Trey Gowdy, R-S.C.; and Rep. Elijah E. Cummings, D-Md.
"We did not independently assess Equifax's information security controls or the steps the company took to address identified factors that contributed to the ineffective implementation of those controls," GAO says. Instead, the independent, nonpartisan agency that conducts investigations for Congress says it analyzed documentation about the breach and also interviewed individuals at Equifax's three largest federal customers: the Internal Revenue Service, the Social Security Administration and the United States Postal Service.
Problem 1: Ineffective Identification
The U.S. Computer Emergency Readiness Team in March 2017 issued an alert that all Apache Struts implementations should be immediately patched. Equifax says it circulated this notice to its systems administrators.
"However, the recipient list for the notice was out of date and, as a result, the notice was not received by the individuals who would have been responsible for installing the necessary patch," GAO says (see Equifax Ex-CEO Blames One Employee For Patch Failures).
Equifax has also said that a routine scan conducted a week later, which searched for known vulnerabilities inside its network, had failed to flag the flaw in the Struts implementation that ran its online dispute portal (see Equifax's Colossal Error: Not Patching Apache Struts Flaw).
Problem 2: Poor Detection
Equifax had a security device that allowed it to inspect network traffic, but it wasn't working because a digital certificate it required had expired. "The certificate had expired about 10 months before the breach occurred, meaning that encrypted traffic was not being inspected throughout that period," GAO says. "As a result, during that period, the attacker was able to run commands and remove stolen data over an encrypted connection without detection."
Problem 3: No Segmentation
Equifax said it had failed to isolate its databases on different network segments (see Solve Old Security Problems First).
As a result, once the attackers breached Equifax's network, they were able to reach dozens of other databases. "The lack of segmentation allowed the attackers to gain access to additional databases containing PII, and, in addition to an expired certificate, allowed the attackers to successfully remove large amounts of PII without triggering an alarm," GAO says.
Problem 4: Poor Data Governance
Equifax was storing access credentials used by its administrators in an unencrypted format, when proper practice would have been to only store such information in a secure form, preferably with access restricted using multifactor authentication.
"The attackers gained access to a database that contained unencrypted credentials for accessing additional databases, such as usernames and passwords," GAO says. "This enabled the intruders to run queries on those additional databases."
Problem 5: No Query Limits
Equifax had no restrictions in place on database queries. As a result, the attacker was able "to execute approximately 9,000 such queries - many more than would be needed for normal operations" when exfiltrating the data, the GAO says.
Bonus Problem: Apache Struts
Although not included in the GAO's list of problems underpinning the Equifax breach, many security experts have said that Equifax's decision to use Apache Struts contributed to its problems.
Last month, the open source Apache Struts 2 project released an update that included a patch for a critical vulnerability that attackers could remote exploit to take full control of the application (see Apache Issues Emergency Struts Patch to Fix Critical Flaw).
In the wake of the vulnerability report, multiple information security experts repeated ongoing calls for organizations to stop using Struts.
"My advice would be to migrate to a different technology stack. I've managed numerous incidents where Struts was the vulnerable component that enabled unauthorized access to the underlying server," incident response expert David Stubley, who heads Edinburgh-based security testing firm and consultancy 7 Elements, told Information Security Media Group (see Apache Issues Emergency Struts Patch to Fix Critical Flaw).
Equifax Breach: One Year Later
One year after Equifax discovered its massive breach, what has changed for the credit bureau, which continues to collect information on more than 800 million individuals and over 88 million businesses worldwide?
The Consumer Financial Protection Bureau and the Federal Trade Commission, which as GAO notes "have regulatory and enforcement authority over consumer reporting agencies," launched investigations into the breach in September 2017, and these have yet to conclude, GAO says.
But in February, news reports suggested that the CFPB had put its Equifax investigation on ice and scaled back its broader credit bureau probes.
In May, meanwhile, the FTC hired attorney Andrew Smith to run its Bureau of Consumer Protection. While Smith had previously worked at the FTC, he most recently worked for a law firm that represented Equifax, and he testified before the Senate last year on behalf of the credit bureau. He has promised to recuse himself from any investigations that involve companies for which he has worked.
On the Capitol Hill front, probes by Congress into Equifax, and more broadly into how credit bureaus handle PII, have led to no new consumer protections (see Cynic's Guide to the Equifax Breach: Nothing Will Change).
In June, however, Equifax reached a voluntary consent order with banking regulators in eight states - Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas - requiring that it put specific data security enhancements in place. By complying with the consent order, Equifax will avoid state fines. The credit bureau said it had already put many of the new requirements in place.
Equifax Timeline: Breach and Response
Based in part of the GAO's report, as well as information shared by Equifax with lawmakers, here is a selection of notable dates concerning Equifax's data breach as well as its response.
- May 2016: Digital certificate for network scanning tool used by Equifax expires, leaving it unable to inspect encrypted traffic for signs of malicious activity.
- March 8, 2017: US-CERT issues alert about Apache Struts 2, advising all organizations to install a patch to fix a newly discovered vulnerability that would allow attackers to remotely execute commands and take control of the web application framework. Apache releases the patch on the same day.
- March 10: Equifax gets probed. "Unidentified individuals scanned the company's systems to determine if the systems were susceptible" to the Struts flaw, GAO says. "As a result of this scanning, the unidentified individuals discovered a server housing Equifax's online dispute portal that was running a version of the software that contained the vulnerability." Using some type of apparently automated vulnerability exploit software, "the unidentified individuals subsequently gained unauthorized access to the Equifax portal and confirmed that they could run commands," but stole no data, GAO says.
- May 13: Starting that day and lasting until July 30 - a nearly 80-day period - attackers queried 51 Equifax databases, extracting "records containing the PII of at least 145.5 million consumers in the U.S. and nearly 1 million consumers outside of the U.S.," GAO says, but doing so "in small increments to help avoid detection." The attackers encrypted their communications to help disguise their activities.
- July 29: After obtaining a new digital certificate for a tool that scans encrypted network traffic for signs of malicious activity, Equifax's security team detects unusual activity and blocks it.
- July 30: Equifax's security team detects further unusual activity and takes the Apache Struts portal offline.
- Aug. 2: Equifax hires cybersecurity firm Mandiant to investigate the breach and alerts the FBI.
- Aug. 7: Equifax issues first public data breach notification.
- Sept. 7: The company launches "www.equifaxsecurity2017.com" website, after having registered it on Aug. 22, to handle consumers' queries. The website, because it is not hosted on the official equifax.com domain, gets mistaken as a phishing site by some security firms. Equifax says it believes 143 million U.S. consumers' PII was stolen, including dispute documents for 209,000 consumers, which contained PII for approximately 182,000 consumers. It says PII for U.K. and Canadian consumers was also exposed.
- Sept. 15: Equifax's CIO and CSO "retire."
- Sept. 26: Richard Smith, Equifax's CEO, likewise "retires." Smith later appears on Capitol Hill to answer extensive questions from lawmakers about the breach.
- Sept. 28: Equifax interim CEO Paulino do Rego authors an op-ed in the Wall Street Journal apologizing for the breach and promising stronger consumer protection services.
- Oct. 2: Equifax wraps up its initial investigation, reporting that investigators have found that attackers also accessed PII for 2.5 million more U.S. consumers, and revising U.S. breach victim count from 143 million to at least 145.5 million.
- Feb. 12, 2018: Equifax announces the hiring of a new CISO: Jamil Farshchi, who comes from Home Depot.
- March 1: Equifax identifies about 2.4 million U.S. consumers whose names and partial driver's license information were stolen. It says some of these individuals were already included in the count of 145.5 million breach victims, but as of August 2018, it had yet to determine a final count.