A new House Oversight Committee report released Monday says that the Equifax Data Breach was ‘entirely preventable’. The Equifax data breach occurred in September of 2017, affected 148 million people around the world; half the population in the U.S.
In the 14-month long investigation, the House has since determined that Equifax is to blame for the data breach. During their investigations, the committee reviews over 122,000 pages of documented, interviewed three former employees at Equifax, met with current employees at Equifax, and met with cybersecurity experts Equifax hired for their own investigation.
The committee concluded:
“failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable”
Equifax has experienced little repercussions since the incident and blamed the breach on a technician. The report has also highlighted that the former chief executive Richard Smith did not handle the data breach appropriately and instead retired after the incident on September 26. The CIO and CSO also took early retirements, eight days after the public disclosure.
During their investigations the House found that Equifax failed to fully patch their systems, after Apache Struts software publicly disclosed a critical vulnerability on March 7, 2017. Equifax used this software on their legacy operating systems. They held a meeting on this vulnerability on March 16 however, did not fully patch their systems containing the vulnerability. Attackers began their attack on March 13, 2017 and continued for 76 days. Attackers were able to locate unencrypted PII data 265 times over 48 databases and 9,000 queries. Equifax did not notice the queries due an expired certificate, until July 29.
The committee stated the following:
“Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”
Equifax’s IT security took a backend in the organization. Instead an aggressive growth strategy for the company was held as priority. The company failed to develop a IT management structure that functioned appropriately, restricting implementation of important time sensitive security matters.
It is crucial for organizations to maintain and secure their IT infrastructures, immediately deploying patches and working with teams from the top down. For advisory and gap analysis solutions contact LIFARS.