Introduction
Equifax is based in Atlanta, Georgia and was founded in 1899 as Retail Credit Company.[1] Equifax is one of the three major credit agencies along with Experian and TransUnion. Specifically, they sell credit monitoring and fraud-prevention services to consumers. Equifax is one of several large CRAs in the United States that gathers consumer data, analyzes it to create credit scores and detailed reports, and then sells the reports to third parties. Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt out of this information collection process. Though CRAs provide a service in facilitating information sharing for financial transactions, they do so by amassing large amounts of sensitive personal data—a high-value target for cyber criminals.[2] Consequently, CRAs have a heightened responsibility to protect consumer data by providing best-in-class data security.
In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks. In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing “almost 1,200 times” the amount of data held in the Library of Congress every day.[3] Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.
Data Breach
The Equifax data breach initially affected 143 million Americans whose data was stolen.[4] This number was later revised to 146.6 million , which constituted 44 percent of U.S. population.[5] Stolen information ranged from full names and date of births to social security numbers and driver licenses' information.[6] A survey conducted by CreditCards.com found that "twenty percent of all respondents have heard little or nothing about the Equifax breach, including 46 percent of those aged 18-37" and that 50 percent of surveyed adults did not check their credit scores and reports after the breach.[5]
History of mistakes
On 28 October 2015, Equifax’s cybersecurity division reported findings of an audit into their security practices and infrastructure. Equifax had failed to address over 7,500 known critical vulnerabilities on their internal systems, contrary to their policy of addressing critical issues within a 48-hour window.[7] Second, Equifax did not maintain a comprehensive inventory of their IT asset; they were unaware of exactly what software was in use on computers throughout their infrastructure. Finally, Equifax was not proactive in applying and verifying the patching of vulnerabilities. Software patches were only applied to systems when teams were made aware of specific threats.
Data breach timeline
On 8 March 2017, the Department of Homeland Security informed Equifax of this critical vulnerability.[8] On 9 March 2017, a few days after Apache releases information about its Struts vulnerability and its patch, Equifax launches an internal email to its administrators to apply this software patch on any vulnerable systems. In a 400-person email distribution list, employees were informed of this vulnerability, but this email chain excluded the developer aware of Equifax's usage of Apache Struts. The email chain contained the developer's manager, who failed to alert the team or the developer.[7]
On 15 March, Equifax information security department ran a systemwide scan but did not find any initial vulnerabilities that used Apache Struts or needed immediate patching.[8] However, this initial scan missed the Automated Customer Interview System that implemented Apache Struts. Equifax’s Global Threats and Vulnerability Management mentioned Apache Strut vulnerability twice in a presentation and held monthly meetings to discuss cyber threats and vulnerabilities, but senior managers did not routinely attend these meetings and follow-up was limited.
Starting on 13 May 2017 and lasting until 30 July 2017, hackers obtained access to 48 unrelated databases through this vulnerability, querying 9,000 results for other administrative login credentials.[8][9] The hacks ended on July 30 when Equifax shutdown the vulnerable web portal after seeing “suspicious traffic”. On July 31, the Chief Information Officer informed the Chief Executive Officer of the cyber incident.
Backend technology behind Equifax leak
Equifax's Automated Consumer Interview System (ACIS) was the main point of attack for the hackers. It was a consumer dispute portal developed in the 1970s and used Apache Struts that contained the vulnerability.[8]
Apache Struts is an open source framework designed for web application development in Java. It has popularized usage in many banking platforms, including Equifax.[10] However, Apache Struts had some fundamental vulnerabilities, especially with using object-graph navigation language.[11] Using this exploitation, hackers could stop firewalls protecting the servers and download and execute any malware they want onto said server. This would give hackers complete control of the web servers.[11]
On 6 March 2017, Apache had identified and released a patch for their Apache Struts software, aimed at fixing a vulnerability in their website creation software that would allow a user to disable firewalls and install software on company’s server. After companies were notified of the vulnerability, it became their responsibility to update their current systems to include the patch software.
Actions Following the Data Breach
Slow Press Release
When the CEO was informed of the cyber incident, Mandiant (description) was hired on August 2017 to investigate the cyber breach and the extent of the attack. Additionally, Mandiant aided writing the Public Release that came out on 7 September 2017. This press release came out four months after the data breach had started, informing the public that 50% of Americans were affected. The delay in response sparked outrage again as Congress and Legislature looked to push for another national data breach notification law.
Internal Project Sierra and Project Sparta
During the Mandiant Investigations, Equifax had small team working on fixing these issues. One operation was called Project Sierra that was given to the "overall response to the attack."[12] Another called Project Sparta, Equifax employees working on the project were only informed that “they were working for an unnamed client that had experienced a large data breach.”[12] They were given no details about the victims of the attack or information about the victims. Both projects in fact were for the entirety of Equifax. Additionally, this led to some issues with further employee misconduct.
Cases of insider trading
Jun Ying was a former Chief Information Officer (CIO) for Equifax's US Information Solutions division. He was said to be next in line as global CIO. The SEC charged Ying with "violating antifraud provisions of the federal securities laws and seeking disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief."[13] Ying committed insider trading by investing his stock options and selling shares, receiving nearly $1 million and avoiding losses of $117,000.[14]
Sudhakar Reddy Bonthu was a former software product development manager. On a project where employees should not have known much else, Bonthu found out information outside of the project. He too was charged with insider trading, buying and selling Equifax stock options through his wife's brokerage account before the public announcement of the Equifax breach.[15] He gained $75,000 after the announcement of the breach.[15]
US Government Review
Government Accountability Office
To address weak boundary protections, which allowed access to the various databases, Equifax implemented additional controls at its external boundary to monitor communications and further restricted traffic between internal servers.[16] Equifax also implemented broader programmatic measures. One of these measures was changing the reporting structure of the new Chief Information Security Officer (CISO), who now reports directly to the CEO to allow for greater visibility into cybersecurity risks by top management.
Securities and Exchange Commission
Through the company’s analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators.[6] SEC found that, between October and December 2017, Equifax notified their consumers who had uploaded information to the dispute portal of such breach by mail. In addition, Equifax also provided these consumers individualized notifications with a list of the specific files they had uploaded onto Equifax’s dispute portal and the dates of those uploads.[6]
Congressional Investigation
House Democratic Report
A report prepared by Democratic staff of the House Committees on Oversight and Government Reform and on Science, Space and Technology proposed four key legislative reforms that can prevent such attacks in the future:[16]
- Hold federal financial regulatory agencies accountable for their consumer protection oversight responsibilities
- Require federal contractors to comply with established cybersecurity standards and guidance from the National Institute of Standards and Technology (NIST)
- Establish high standards for how data breach victims should be notified
- Strengthen the ability of the Federal Trade Commission (FTC) to levy civil penalties for private sector violations of consumer data security requirements
House Republican Report
The Republican staff on the House Oversight Committee found that had Equifax taken action to address its security issues prior to this cyberattack, the data breach could have been prevented. The Republican staff then proposed seven recommendations that the government should adopt:[8]
- Empower consumers through transparency
- Review sufficiency of FTC oversight and enforcement authorities
- Review effectiveness of identity monitoring and protection services offered to breach victims
- Increase transparency of cyber risk in private sector
- Hold federal contractors accountable for cybersecurity with clear requirements
- Reduce use of social security numbers as personal identifiers
- Implement modernized IT solutions
Senate Legislation Proposals
On January 10, 2018, Senator Elizabeth Warren introduced the S.2289: Data Breach Prevention and Compensation Act of 2018. This bill establishes civil penalties for violations and directs the FTC to enforce compliance. It creates the Office of Cybersecurity within the FTC that is authorized to:[17]
- Investigate an agency's compliance with regulations regarding any data breach, and
- Enjoin an agency from violating specified regulations.
Professionalism and Ethics
In a world where the complexity of personal data is growing at an exponential rate, Equifax became the latest company to publish their data security failures. They exposed the data of millions of Americans to attackers, with little resistance. With more user data being captured and stored by companies worldwide, sometimes without the consent of users, it is important to emphasize the responsibilities these companies have to protect and inform their customers.
Internal management at Equifax led to the biggest data breach in United States history. Their inability to maintain accountability in their workplace is an error that others can learn from and apply to their companies. Management cannot assume that issues in a company have been addressed without proper follow up and assessment.
It is the responsibility of employees to stay informed on the best practices required to fulfill their roles. Equifax employees, specifically software developers who used Apache Struts, should have been alert to the vulnerabilities that arose from incorporating different software in their infrastructure.
Company executives hold great influence in the decisions of a company, largely due to the insights they are privy to. Customers expect that these insights are used to grow a company and it’s user base, not to line the pockets of executives at the expense of the customer, as Equifax executives did. Richard R. Best, Director of the SEC’s Atlanta Regional Office said that: “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit”[13]
References
- ↑ Company Profile. (n.d.). May 5, 2019. https://www.equifax.com/about-equifax/company-profile/
- ↑ After the Breach: The Monetization and Illicit Use of Stolen Data: Hearing Before the Subcomm. on Terrorism & Illicit Finance of the H. Comm. on Financial Servs., 115th Cong. (2018) (testimony of Lillian Ablon, RAND Corporation);
- ↑ Terry College of Business at the University of Georgia. (2017, August 22). Rick Smith, CEO, Equifax. May 5, 2019. https://www.youtube.com/watch?v=lZzqUnQg-Us
- ↑ Equifax Inc. (2017, September 7). Equifax Announces Cybersecurity Incident Involving Consumer Information. May 5, 2019. https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628
- 1 2 Kennedy, Merrit. (1 March 2018). Equifax Says 2.4 Million More People Were Impacted By Huge 2017 Breach. NPR. 4 May 2019. https://www.npr.org/sections/thetwo-way/2018/03/01/589854759/equifax-says-2-4-million-more-people-were-impacted-by-huge-2017-breach
- 1 2 3 Equifax’s Statement for the Record Regarding the Extent of the Cybersecurity Incident Announced on September 7, 2017. (n.d.). May 5, 2019. https://www.sec.gov/Archives/edgar/data/33185/000119312518154706/d583804dex991.htm
- 1 2 Portman, R., & Carper, T. (n.d.). How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach. May 5, 2019. https://www.carper.senate.gov/public/_cache/files/5/0/508a6447-853f-4f41-85e8-1927641557f3/D5CFA4A0FC19997FF41FB3A5CE9EB6F7.equifax-report-3.6.19.pdf
- 1 2 3 4 5 Committee on Oversight and Government Reform. (2018, December). The Equifax Data Breach Majority Staff Report. May 5, 2019. https://republicans-oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf
- ↑ Equifax Inc. (2017, September 15). Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes. May 5, 2019. https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832
- ↑ Schwartz, Mathew. (23 August 2018). Apache Issues Emergency Struts Patch to Fix Critical Flaw. Information Security Media Group, Corp. 5 May 2019. https://www.bankinfosecurity.com/apache-struts-issues-emergency-patch-to-fix-critical-flaw-a-11412
- 1 2 Goodin, Dan. (9 March 2017). Critical vulnerability under “massive” attack imperils high-impact sites [Updated]. Condé Nast. 5 May 2019. https://arstechnica.com/information-technology/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/
- 1 2 Brewster, Thomas. 14 March 2018. How Equifax Kept Its Mega Breach Secret From Its Own Staff. Forbes. 5 May 2019.https://www.forbes.com/sites/thomasbrewster/2018/03/14/how-equifax-kept-its-mega-breach-secret-from-its-own-staff/#3bf5bad3ef16
- 1 2 Former Equifax Executive Charged With Insider Trading. (2018, March 14). May 5, 2019. https://www.sec.gov/news/press-release/2018-40
- ↑ Brumback, Kate. (7 March 2019). Former Equifax executive pleads guilty to insider trading tied to massive 2017 data breach. USA Today. 5 May 2019.https://www.usatoday.com/story/money/2019/03/07/equifax-data-breach-former-executive-pleads-guilty-insider-trading/3095802002/
- 1 2 Brumback, Kate. (28 June 2018). Ex-Equifax Software Developer Charged With Insider Trading. Bloomberg. 5 May 2019. https://www.bloomberg.com/news/articles/2018-06-28/ex-equifax-software-developer-charged-with-insider-trading
- 1 2 U.S. House of Representatives. (10 December 2018). What the Next Congress Should Do to Prevent a Recurrence of the Equifax Data Breach. Washington, DC: Author. https://oversight.house.gov/sites/democrats.oversight.house.gov/files/Equifax%20Minority%20Report%20-%20FINAL%2012-10-2018.pdf
- ↑ Data Breach Prevention and Compensation Act of 2018, S. 2289, 115th Congress. (2017). https://www.congress.gov/bill/115th-congress/senate-bill/2289?s=7&r=1