Posted on 12/19/2018 1:58:06 PM PST by MeganC
(This is 96 pages long so I am just posting the Executive Summary here)
On September 7, 2017, Equifax announced a cybersecurity incident affecting 143 million consumers. This number eventually grew to 148 million—nearly half the U.S. population and 56 percent of American adults. This staff report explains the circumstances of the cyberattack against Equifax, one of the largest consumer reporting agencies (CRA) in the world.
Equifax is one of several large CRAs in the United States. CRAs gather consumer data, analyze it to create credit scores and detailed reports, and then sell the reports to third parties. Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt out of this information collection process. Though CRAs provide a service in facilitating information sharing for financial transactions, they do so by amassing large amounts of sensitive personal data—a high-value target for cyber criminals.1 Consequently, CRAs have a heightened responsibility to protect consumer data by providing best-in-class data security.
In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks. In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing “almost 1,200 times” the amount of data held in the Library of Congress every day.
Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.
On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Security alerted Equifax to this critical vulnerability. Equifax’s Global Threat and Vulnerability Management (GTVM) team emailed this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a March 16 meeting about this vulnerability.
Equifax, however, did not fully patch its systems. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not patch the Apache Struts software located within ACIS, leaving its systems and data exposed. On May 13, 2017, attackers began a cyberattack on Equifax. The attack lasted for 76 days. The attackers dropped “web shells” (a web-based backdoor) to obtain remote control over Equifax’s network. They found a file containing unencrypted credentials (usernames and passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The attackers were able to use these credentials to access 48 unrelated databases.
Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times. The attackers transferred this data out of the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic.
After updating the security certificate, Equifax employees identified suspicious traffic from an IP address originating in China. The suspicious traffic exiting the ACIS application potentially contained image files related to consumer credit investigations. Equifax discovered it was under active attack and immediately launched an incident response effort. On July 30, Equifax identified several ACIS code vulnerabilities. Equifax noticed additional suspicious traffic from a second IP address owned by a German ISP, but leased to a Chinese provider. These red flags caused Equifax to shut down the ACIS web portal for emergency maintenance. The cyberattack concluded when ACIS was taken offline.
On July 31, Chief Information Officer (CIO) David Webb informed Richard Smith of the cyber incident. Equifax suspected the attackers exploited the Apache Struts vulnerability during the data breach. On August 2, Equifax engaged the cybersecurity firm Mandiant to conduct an extensive forensic investigation. Equifax also contacted outside counsel and the Federal Bureau of Investigation to alert them to the cyber incident. By late August 2017, Mandiant confirmed attackers accessed a significant volume of consumer PII. Equifax launched an effort to prepare for public notice of the breach. As part of this effort, Equifax created a website for individuals to find out whether they were affected by the data breach and, if so, to register for credit monitoring and identity theft services. Equifax also began efforts to stand up a call center capability staffed by 1,500 temporary employees. On September 4, Equifax and Mandiant completed a list of 143 million consumers affected by the data breach, a number that would later grow to 148 million.
When Equifax informed the public of the breach on September 7, the company was unprepared to support the large number of affected consumers. The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services.
Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation. This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging.
Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach. Equifax held several officials accountable for the data breach. The CIO and Chief Security Officer (CSO) both took early retirements on September 15, eight days after the public announcement. Equifax’s CEO Richard Smith left the company on September 26. On October 2 Equifax terminated Graeme Payne, Senior Vice President and Chief Information Officer for Global Corporate Platforms, for failing to forward an email regarding the Apache Struts vulnerability. Payne, a highly-rated employee for seven years and a senior manager of nearly 400 people, managed a number of IT systems within Equifax, including ACIS. On October 3, Richard Smith testified before Congress blaming human error and a failure to communicate the need to apply a patch as underlying reasons for the breach.
Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.
The full pdf is at the link.
I like how they skillfully avoid mentioning either the CIO’s name, or the fact that she was an affirmative action hire with no background in IT. This was a social justice security disaster.
We don't have money to protect our country from cyber attacks...
BUT WE DO HAVE MONEY TO PROTECT THE BORDERS OF THE EU AND SOUTH KOREA... and to give money away to every pity party group in the world...
Guess our ‘government servants’ are wedded to those big speech fees they collect...
“PROTECT THE BORDERS OF THE EU”
I believe Germany pays much of the cost.
South Korea?
You would think that the data wouldn’t go out unless money came in.
They are usually good at protecting their revenue.
Were Social Security numbers matched with names lost?
I pay my bills. It’s the norm. What would it matter if that fact was confirmed?
We spend trillions on countries around the world and don’t have a dime to protect our own borders?
Trump is just the start of the revolution...
https://www.google.com/search?client=firefox-b-1&q=how+many+us+troops+are+in+the+EU
The United States maintains about 320,000 military personnel in Europe, about ten percent of the European total.
Despite recently closing hundreds of bases in Iraq and Afghanistan, the United States still maintains nearly 800 military bases in more than 70 countries and territories abroad—from giant “Little Americas” to small radar facilities. Britain, France and Russia, by contrast, have about 30 foreign bases combined.
As of 2013, there are approximately 50,000 U.S. military personnel stationed in Japan, along with approximately 40,000 dependents of military personnel and another 5,500 American civilians employed there by the United States Department of Defense.
German Army. ... The present-day German Army was founded in 1955 as part of the newly formed West German Bundeswehr together with the Marine (German Navy) and the Luftwaffe (German Air Force). As of 28 February 2018, the German Army had a strength of 186,431 soldiers.
https://www.google.com/search?client=firefox-b-1&q=how+many+us+soldiers+are+stationed+in+South+korea
https://www.google.com/search?cWith 23,468 American soldiers, sailors, airmen and Marines in South Korea, U.S. forces in South Korea are a major presence in the region and a key manifestation of the U.S. government’s aim to rebalance toward the Asia-Pacific.
How many US military bases are in Korea?
The Air Force has more than 8,000 airmen, the Navy as many as 1,000 sailors and the Marine Corps about 200 Marines. The majority of troops are at U.S. Army Garrison Humphreys in Pyeongtaek; Yongsan in Seoul; and Camp Walker in Daegu. The Air Force has two bases, Osan and Kunsan. The Navy operates from Busan and Jinhae.Jun 5, 2018
We will never have enough money to protect our country from cyberattack. The problem with using bloated garbage like Struts is that you might as well just give every hacker their own server password. There's no way to protect against that kind of attack for any amount of money.
“I like how they skillfully avoid mentioning either the CIO’s name, or the fact that she was an affirmative action hire with no background in IT. This was a social justice security disaster.”
I’m sure music major Susan Mauldin is enjoying a comfy retirement. 143,000,000 victims should know her name.
Thanks MeganC.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.