Equifax Incident Analysis: The Fight That Goliath Would Lose

Equifax is a global consumer credit reporting agency headquartered in Atlanta, Georgia. Equifax operates or has investments in 24 countries, including Australia. In September 2017, Equifax announced that its systems had been breached and the sensitive personal data of over 140 million consumers had been compromised. This report explains the circumstances of the cyberattack against Equifax, one of the largest consumer reporting agencies in the world.

On March 7, 2017, it was reported that a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run specific applications on legacy operating systems. Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the most significant data breaches in U.S. history. Such a breach later described by the U.S. House of Representatives Committee on Oversight and Government Reform, as “entirely preventable”. The Equifax breach is unprecedented in scope and severity. There have been more substantial security breaches by other companies in the past. However, the sensitivity of the personal information held by Equifax and the scale of the problem makes this breach unprecedented.

This report examines Equifax’s lack of appreciation for the seriousness of the breach, as well as data security practices writ large. Additionally, it discusses enterprise patch management technologies for identifying, acquiring, installing, and verifying patches for products and systems. Furthermore, it explains the importance of patch management and examines the challenges inherent in performing patch management and other security countermeasures.

Background of The Incident

As described above, on March 7, 2017, an alert was given to Equifax administrators as a free program offered by the Department of Homeland Security known as the Automated Indicator Sharing System. This system allows information sharing about potential cyber threat indicators and vulnerability to be shared between public and private sectors.

Most companies that used the software, including Equifax, were alerted to the flaw that very same day. Nonetheless, Equifax reported that hackers first gained unauthorised access to their systems on May 13, 2017, sixty-seven days after they were notified of the patch. Moreover, malicious actors were able to operate with impunity until July 29, 2017, when Equifax’s security investigators first noticed suspicious network traffic on their online dispute portal. Finally, on September 7, 2017, Equifax notified the general public of the overwhelming scale of the breach and revealed their new consumer support website, a full one hundred and seventeen days after the customer data was first compromised.

In summary, it took Equifax several months to install a critical software patch after the Department of Homeland Security (DHS) notified them of the update. Furthermore, it took eleven weeks for Equifax’s security team to even notice the suspicious network activity once their system was breached. Moreover, an additional four day to contact a law firm and security company to conduct a comprehensive digital forensics investigation.

In total, twenty-six weeks passed from the date that the Department of Homeland Security issued its warning until Equifax finally announced that its systems had been compromised.

The Attack Vector

Based on its cybersecurity consultant’s analysis and recommendations following the breach, Equifax determined that several significant factors had facilitated the attackers’ ability to successfully gain access to its network and extract information from databases containing PII. Specifically, Equifax officials told (GAO) that critical factors that led to the breach were in the areas of identification, detection, segmentation, and data governance.

In addition to these four broad categories, Equifax officials noted one other factor that also facilitated the breach. Specifically, the lack of restrictions on the frequency of database queries allowed the attackers to execute approximately 9,000 such queries — many more than would be needed for normal operations (GAO, 2018).

Data Protection

Data resides in many places. Protection of that data is best achieved through the application of a combination of encryption, integrity protection and data loss prevention techniques. As organisations continue to collect, use and share data, proper care must be taken to limit and report on data exfiltration while also mitigating the effects of data compromise (CIS, 2018).

Data leak prevention (DLP) is a suite of technologies aimed at stemming the loss of sensitive information that occurs in enterprises across the globe. By focusing on the location, classification and monitoring of information at rest, in use and motion, this solution can go far in helping an enterprise get a handle on what information it has, and in stopping the numerous leaks of information that occur each day (ISACA, n.d.).

DLP is not a plug-and-play solution. The successful implementation of this technology requires significant preparation and diligent ongoing maintenance. Enterprises seeking to integrate and implement DLP should be prepared for a significant effort that, if done correctly, can significantly reduce risk to the organisation. Those implementing the solution must take a strategic approach that addresses risks, impacts and mitigation steps, along with appropriate governance and assurance measures.