This week, the US government published a report on the massive data breach Equifax experienced last year. The overall conclusion shared by the House Oversight and Government Reform Committee is that the data breach – the largest one todate in US history and the foreseeable future – was entirely preventable. However, as one reads through the entire report, it becomes apparent that it wasn’t preventable at all.
Or rather, it was preventable the way cardiac arrests, skincancer, and adult onset diabetes (now known as type two diabetes) are preventable: making sure that you’re doing what needs to be done all the time. Eating right. Exercising regularly. Applying sunscreen. The majority don’t do most of the above, and millions around the world suffer theconsequences every year.
Likewise, Equifax fell well short in what they had to do to maintain a healthy and secure data environment. To say that the one incident was preventable is to give Equifax too much credit. The company had set itself up for a data breach.
It’s a wonder a massive information security incident didn’t occur sooner.
At the heart of Equifax’s data breach was a critical Apache Struts vulnerability which was disclosed publically along with a security patch. Obviously, hackers could and would take advantage of this vulnerability ASAP, and as often as possible, since there was a limited window of opportunity to exploit it: once patched, the window would close permanently.
Equifax failed to apply it.
Not that they didn’t try. Equifax gave itself a 48-hour deadline to patch the weakness. They scanned their network to see if the vulnerability was present but couldn’t find any. An unsurprising development, seeing how Equifax had no idea what they had, where they had it, and possibly how they had gotten it, the result of years-long acquisition binges that created a complex and fractured computing environment.
Of course, this leads to the question of how they ultimately did learn of the breach. The answer lies in expired security certificates.
Equifax had allowed 300 security certificates to expire (bad). More shockingly, they knew that these needed to be renewed and sat on it, in certain cases for over a year (terrible). Once renewed, the company’s IT department saw that something was very, very wrong. Had those security certificates been active when the hackers exploited the Struts weakness, Equifax would have been aware of the breach immediately. This is undisputed.
(Also undisputed is that the breach wouldn’t have happened if they had applied the patch….but as already explained, they couldn’t find the vulnerable Struts application.)
So, it seems that, based on this, the report’s authors concluded that the incident was preventable. All it would have taken was to apply a free patch to an unaccounted-for vulnerability that would have been unearthed via the certificate (indirectly) if it had not been allowed to expire, if the network was already breached by hackers who were siphoning data away. Otherwise, nothing would have been flagged.
How it that “preventable?” Under the circumstances, being breached is an active element of discovering that you can be and have been breached. Unless, of course, what they meant was that the hackers could have been stopped if Equifax had a nominally “normal” infrastructure with an adequate (not even”good” or “stellar”) approach to data security.
But wouldn’t that be true for pretty much all data breaches we’ve read about in the past ten years?
Plus Ça Change, Plus C’est La Même Chose
In September, there was a Congressional hearing that looked into Equifax’s data breach. Much of what’s in the report echoes the hearing, although there are instances where the report further illuminates on what was disclosed previously. In a number of instances, the report even seems to contradict what was said in September. For example, you’d have to really stretch the truth to describe the breach as “human error” after reading this report.
Despite all that’s been revealed, Equifax has not really been held accountable for its actions, or lack thereof. Certainly, civil lawsuits have been filed. And, for a short while, its stock price was hammered. But, aside from the circus show in September, the government hasn’t really done anything to the company. Of course, this does not mean that changes are not on their way, the Equifax bill being one such example and Democrats in the Senate calling for an information fiduciary law being another.
And yet, attempts to pass such bills have a long history of dying in Congress, so don’t hold your breath.
Related Articles and Sites: