Congress once again hauled Equifax in front of a committee to testify about its 2017 hack on Thursday, and issued yet another report outlining a cascade of errors at the firm which led to the incident.
The Equifax hack is the subject of our 6-week investigative podcast, Breach. Click here to subscribe or press play below if the embedded player appears.
Before a grilling by the Senate Permanent Subcommittee on Investigations, the committee released a bipartisan report that largely echoed prior reports issued by the House Committee on Oversight and the General Accountability Office. There are some new nuggets in the Senate report, however. I offer some bullet points below, but the two items that caught my eye are what’s I’m calling the Equifax “HeckOfAJobBrownie” comments, and the “shredding” incident.
Working backwards, the Senate report laments that “the American public may never know the full story behind the 2017 Equifax breach because company officials failed to retain key records from that time.”
Equifax employees used Microsoft Lync, an instant-message style service that’s popular with corporations. In the early days of the breach, employees used Lync to talk about what was happening in real-time. Unfortunately, most of that chatter has vaporized. Equifax had previously determined that Lync messages didn’t need to be stored. Mid-incident, however, Equifax’s legal team realized it needed to start preserving all records — yet still, for several weeks, Lync messages were deleted.
“The records of extensive internal discussions among Equifax officials about the data breach in real time were determined by the company to be disposable,” the report says. Here’s more:
“During its investigation, the Subcommittee learned that Equifax employees conducted substantive discussions of the discovery and mitigation of the data breach using Microsoft Lync, an instant messaging product. Equifax’s policy was that records of these chats were disposable. As such, Equifax maintained the default setting on the chat platform not to archive chats. After discovering the data breach on July 29, 2017, Equifax did not issue a legal hold for related documents until August 22, 2017. Despite the legal hold, Equifax did not change the default setting on the Lync platform and begin archiving chats until September 15, 2017. As a result, the Subcommittee does not have a complete record of documents concerning the breach,” the committee wrote.
In another section, the committee highlights that Equifax had systemic security issues which led to the breach.
“Equifax Failed to Prioritize Cybersecurity,” it says. “Equifax had no standalone written corporate policy governing the patching of known cyber vulnerabilities until 2015. After implementing this policy, Equifax conducted an audit of its patch management efforts, which identified a backlog of over 8,500 known vulnerabilities that had not been patched. This included more than 1,000 vulnerabilities the auditors deemed critical, high, or medium risks that were found on systems that could be accessed by individuals from outside of Equifax’s information technology
Still, elsewhere in the report, a series of Equifax executives and workers give the firm good grades, or at least passing grades, for its handling of the incident. Here’s a sampling:
- “We had rock stars at Equifax who were de facto pillars in the field,” The former Countermeasures Manager believes the response to the vulnerability was “not only defensible, but justifiable.”
- “The former Vice President of the CTC …. stated that she was unsure if anything about the response to the March 2017 vulnerability could have been different because the security team was not part of the Development team, which was responsible for installing patches. When asked what grade she would assign to Equifax’s data
security protocols, she responded with a ‘B, because nothing is an A in security.’ “
- The CIO at Equifax from 2010 to 2017 oversaw the company employees responsible for installing
patches but said he was never made aware of the Apache Struts vulnerability and does not understand why the vulnerability “was not caught.” He does not think Equifax could have done anything differently.”
- The former Director of the GTVM team .. when asked what grade he would assign to Equifax’s data security protocols prior to the breach, he responded that he would ‘probably say a C especially on remediation. Especially on Apache, I would give it a C on identification and remediation.’ He further indicated that even after the breach, he would ‘say still a C but getting to improvements.’ He added that Equifax was ‘still getting there on [the] remediation side.’ “
A few more other report highlights:
The “honor system”: The audit report concluded, among other things, that Equifax did not abide by the schedule for addressing vulnerabilities mandated by its own patching policy. It also found that the company had a reactive approach to installing patches and used what the auditors called an “honor system” for patching that failed to ensure that patches were installed. The audit report also noted that Equifax lacked a comprehensive IT asset inventory, meaning it lacked a complete understanding of the assets it owned. This made it difficult, if not impossible, for
Equifax to know if vulnerabilities existed on its networks. If a vulnerability cannot be found, it cannot be patched.
Six levels down: “The Chief Information Officer (“CIO”), who oversaw the IT department during 2017, referred to patching as a “lower level responsibility that was six levels down” from him. ”
The ‘developer’ who could have fixed this: “The Equifax developer who was aware of Equifax’s use of Apache Struts software was not included in the 400-person email distribution list used to circulate information on the vulnerability. The developer’s manager, however, was on the distribution list and received the alert, but failed to forward it to the developer or anyone on the developer’s team. ”
The records of extensive internal discussions among Equifax officials about the data breach in real time were determined by the company to be disposable