Updated A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure.
The 96-page report (PDF) from the House's Committee of Oversight and Government Reform found that the 2017 network breach could have easily been prevented had the company taken basic security precautions.
"Equifax, however, failed to implement an adequate security program to protect this sensitive data," the report reads.
"As a result, Equifax allowed one of the largest data breaches in US history. Such a breach was entirely preventable."
The report noted some of the previously-disclosed details of the hack, including the expired SSL certificate that had disabled its intrusion detection system for 19 months and the Apache Struts patch that went uninstalled for two months because of that bad cert.
The report states that Equifax's IT team did scan for unpatched Apache Struts code on its network. But it only checked the root directory, not the subdirectory that was home to the unpatched software
Both issues were blamed for allowing an attacker to compromise the Equifax Automated Consumer Interview System and then spend weeks moving throughout the network to harvest personal records from other databases. It was only when the certificate was renewed that Equifax saw the massive amounts of data being copied from its servers and realized something was very wrong.
While those two specific issues were pinpointed as the source of the attack, the report finds that the intrusion was allowed to happen because the IT operation at Equifax had grown far too large far too fast, without a clear management structure or coherent policies across various departments.
Lousy IT security by design
"In 2005, former Equifax CEO Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, IT systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks," the committee found.
"In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing 'almost 1,200 times' the amount of data held in the Library of Congress every day."
What's more, the report notes that Equifax had been aware of these shortcomings for years, with internal audits that found problems in their software patching process back in 2015, and in both 2016 and 2017 a report from MSCI Inc. rated Equifax network security as a "zero out of ten."
Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyoneREAD MORE
A 2015 audit found that ACIS, a Solaris environment that dated back to the 1970s, was not properly walled off from other databases, a fault that allowed the attackers to access dozens of systems they would not have otherwise been able to get to.
"Although the ACIS application required access to only three databases within the Equifax environment to perform its business function, the ACIS application was not segmented off from other, unrelated databases," the report noted.
"As a result, the attackers used the application credentials to gain access to 48 unrelated databases outside of the ACIS environment."
After the pwning of its servers was revealed Equifax blamed its woes on an IT staffer who hadn't installed the Apache patch, and fired the person. The report makes it clear that there were many more people involved in Equifax's failings than this one scapegoat.
To help prevent similar attacks from occurring, the report recommends a number of additional requirements for credit reporting agencies to tell people what information is being gathered, how it is stored, and who it is shared with. The report also suggests moving away from social security numbers as personal identifiers and recommends that companies in the finance and credit sectors be pushed to modernize their IT structure. ®
Updated to add
Equifax sent the following statement to The Register
"We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information," the company said.
"During the few hours we were given to conduct a preliminary review before they released it yesterday, we identified significant inaccuracies and disagree with many of the factual findings. This is unfortunate and undermines our hope to assist the Committee in producing a credible and thorough public resource for those who wish to learn from our experience managing the 2017 cybersecurity incident."
The credit biz has yet to identify what in the report is inaccurate.