'Culture of cybersecurity complacency' blamed for 2017 Equifax hack

A new congressional report states that Equifax executives knew about critical security flaws months before they discovered they had been hacked, but did little to address the problems.

computer hack (MARCUSZ2527/Shutterstock.com)
 

A new congressional report  blamed the 2017 breach at Equifax that compromised information on 148 million Americans on a "culture of cybersecurity complacency" at the credit reporting company.

The report, from the Republican staff at the House Oversight and Government Reform Committee, stated that the failure of Equifax officials to follow "an adequate security program" contributed to the breach.

For example, after the company learned of a major Apache Struts software flaw in March 2017, Equifax failed to fully patch every affected system. It also left unencrypted usernames and passwords on the network that hackers found and used to gain broader access.

A high-level executive, Vice President and CIO for Global Corporate Platforms Graeme Payne, was notified about the Apache Struts vulnerability, but he failed to alert others in the company. Payne was later terminated, while CIO David Webb and Chief Security Officer Susan Mauldin announced their early retirements just days after disclosing the breach publicly.

"Equifax failed to fully appreciate and mitigate its cybersecurity risks," the report read. "Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented."

Perhaps most damning: the attack, which went on for 76 days and included thousands of data queries by the attackers, could have been discovered much earlier if Equifax had been monitoring network traffic for the affected system. However, the device designed to do so failed because it had been running with an expired SSL security certificate for 19 months.

According to the report, Equifax executives "updated the expired certificate and immediately noticed suspicious web traffic" coming from an IP address in China. Only then did the company kick off an incident response effort.

The report blamed a lack of accountability and lines of authority over IT management that resulted in over hundreds of expired security certificates and an overly complex IT environment driven by custom-software solutions.

Equifax released a statement disputing some points made in the House report, as well as some of the information presented as factual by the committee and said it was "disappointed" because the committee only gave it a few hours to review to the report in advance of its release.

"While we believe that factual errors serve to undermine the content of the report, we are generally supportive of many of the recommendations the Committee laid out for the government and private industry to better protect consumers, and have already made significant strides in many of these areas," the statement read in part.

Specifically, Equifax was critical of the House report for quoting a draft Government Accountability Office review of the breach, rather than the final version, and disputed the description of a piece of internal Equifax technology that was targeted in the breach. The company is still reviewing the report, a spokesperson told FCW.

Poster child for data privacy

Due to the size and scope of the Equifax breach, as well as the fact high-level executives sold off stock prior to alerting the public, the event has become something of a poster child for those demanding comprehensive federal legislation around data breach notification rules. Some members of Congress have even called for laws that would impose jail time on high-level executives who fail to prevent large breaches or mislead the Federal Trade Commission.

The Democratic staff of the Oversight panel and the House Science, Space and Technology committee released their own seven-page report, calling for data breach notification legislation and congressional mandates for companies like Equifax to report to the Bureau of Consumer Financial Protection on efforts to safeguard sensitive data. They also recommend strengthening the FTC's civil penalty enforcement authority and requiring federal contractors to comply with cybersecurity guidelines set out by the National Institute of Standards and Technology,

"This was a missed opportunity to convert the Committees' oversight efforts into concrete reforms that would help prevent future data breaches, hold companies accountable, and protect American consumers and their sensitive personal information," said Reps. Elijah Cummings (D-Md.) and Eddie Bernice Johnson (D-Texas), the ranking Democrats on both committees, in a statement.