US Senate attacks lax Equifax cybersecurity defences
The US Senate has pulled no punches in its criticism of Equifax’s 2017 data breach and cybersecurity defences.
Back in 2017, information specialist Equifax suffered a breach that potentially affected around 146 million US consumers.
It said criminals exploited a US website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorised access occurred from mid-May through July 2017.
In May last year, Equifax submitted a letter to several US Congressional committees providing additional detail on the data elements impacted by the incident.
For example, social security numbers, address information and 209,000 payment cards (number and expiry date) were all exposed.
In the latest chapter, the Senate has released its 71-page investigation, subtly titled: “How Equifax neglected cybersecurity and suffered a devastating data breach”.
The report is incredibly repetitive and not happy reading for Equifax.
In one instance, it notes that the firm “failed to prioritise cybersecurity”. Note that the firm waited six weeks before going public with the breach.
The report explains: “Equifax had no standalone written corporate policy governing the patching of known cyber vulnerabilities until 2015. After implementing this policy, Equifax conducted an audit of its patch management efforts, which identified a backlog of over 8,500 known vulnerabilities that had not been patched.
“This included more than 1,000 vulnerabilities the auditors deemed critical, high, or medium risks that were found on systems that could be accessed by individuals from outside of Equifax’s information technology networks. The audit report concluded, among other things, that Equifax did not abide by the schedule for addressing vulnerabilities mandated by its own patching policy.”
The “Apache Struts” vulnerability that led to the breach in March 2017 was “widely known” via a public alert. Yet Equifax didn’t pick it up. The report notes that Equifax’s two largest competitors, TransUnion and Experian, avoided the breach.
The whole report is just one massive criticism and so no space (or desire) to cite it all.
In terms of recommendations, these include getting Congress to pass legislation that establishes a national uniform standard; and legislation requiring private entities that suffer a data breach to notify affected consumers, law enforcement, and the appropriate federal regulatory agency “without unreasonable delay”.
You can read the full report here.