Now, we’re getting into the nitty-gritty. How did criminals get inside Equifax, and what were all the missteps inside the company that led to the hack? In episode three, we hear from the GAO investigators who actually got inside Equifax and interviewed the principals involved. We find out that it took Equifax 76 days to notice the attack. We also found out that the attack itself was “not sophisticated.” In fact, Equifax made things easy. Once inside, criminals found a text file with usernames and passwords for 51 other databases. There’s plenty of other mistakes, too.
Nevertheless, when CEO Richard Smith testified before Congress, he dished out a lot of the blame to a single worker and “human error.” We tracked down the human error and — in an interview you won’t hear anywhere else — we get his side of the story. Ever wonder what it’s like to get really, really bad news as a security professional? On your birthday? You’ll find out.
Here’s a sampling of the transcript.
RICK SMITH: I’m here today to say to each and every person affected by this breach, I am truly and deeply sorry for what happened. We know now that this criminal attack was made possible by a combination of human error and technological error.
GRAEME: When he mentioned the cause of the breach was human error, I found it troubling, to be honest. I think it’s really an incredible simplification of the issues and the complexity of managing cyber security and a large organization.
ALIA: Later on in one of these hearings, Smith elaborates on that “human error” –
RICK SMITH: The individual who I just discussed that was responsible for the patching process is no longer with the company.
GRAEME: The day before I had been terminated from the company, so I was able to put two and two together and work out that the person that he was talking about was me.
ALIA: But that “one human error” of course, isn’t the full story –
BOB: Not at all! So many more mistakes.
ALIA: Today, we look at the full story. We sat down with the two guys who went to Equifax, investigated, and wrote the detailed report on *all* of the big and little things that went wrong –
BOB: And we have a conversation with the“human error” himself – Graeme Payne –
ALIA: To get to the bottom of what *really* went wrong at Equifax, to really break down the perfect storm that led to (what some people are calling) the worst breach ever.
RICK SMITH: The human error was the individual who was responsible for communicating in the organization to apply the patch… did not.
CHAIRMAN: So does that mean that that individual knew that the software was there and it needed to be patched and did not communicate that to the team that does the patching? Is that the heart of the issue here?
RICK SMITH: That is my understanding, sir.
ALIA: Well we talked to Graeme, the quote human error himself, to see if he thinks that’s actually what went wrong. This is the person who got fired, and then turned on the tv the next day to discover he was being blamed for causing the breach — so does he agree that it was his fault?
GRAEME: I think the committee concluded that it didn’t align with the backdrop of the facts.
NICK: The attackers, once they got in the door, were able to identify, usernames and passwords for other databases that were being stored in clear text. That is to say there was a file available that didn’t require any password itself to get to that information.
BOB: A file containing unencrypted credentials – usernames and passwords, completely easy to read.
ALIA: Why would someone store passwords without encrypting them?
NICK: Well, if you think about it, an administrator, assistant administrators’ roles and responsibilities, they’re tapping and they’re accessing a lot of different systems. And so a fast way of doing so is kind of like for those of us that stick Post It notes under our keyboards would be to keep that information stored somewhere so that you could easily access it. Sometimes to just copy and paste it in so that you don’t have to worry about it.
BOB: So our lives are full of all these little conveniences, all these little work arounds. When we do these things, we just never imagine these workarounds in the hands of a hacker.
NICK: Some of these passwords can be very long and complex, um, can be automatically randomly generated and so it. It’s something that I think demonstrates the fact that humans are going to be, they’re going to be fallible themselves.
BOB: This is the absolute Catch 22 of passwords. The longer and more complex your passwords are, the less likely you are to remember them, and the more likely you are to put them in a text file or on a Post It note so that you can get them when you need them. Simpler passwords, easy to remember, complex passwords, hard to remember. Which one is safer? I don’t know.
ALIA: So after waltzing into the dispute resolution portal, these hackers are armed with a bunch of other usernames and passwords –
NICK: And so they were able to then use those to navigate to about 51 other databases or 51 databases total.
ALIA: 51 databases to enter search queries for our useful PII.
NICK: There’s another thing, that I, that I’d mention to, you know, it, it took 9,000 queries. So those are like searches, to tap into these databases, right?
ALIA: Hackers have to search through these databases. These queries are their more sophisticated version of CTRL + F: Social Security Number. Nick’s point is: even if the data exiting the servers wasn’t detected (thanks to the expired certificate) – those queries themselves could have been detected.
NICK: For example, you know, in hindsight you could put a limit on how many queries get done within a certain period of time or let’s say you have queries coming from one source, you know, over and over and over again. there could be ways to restrict that. So that, okay, once they hit 100, okay, there’s something up. That was another area that Equifax informed us that in hindsight they, and I think following that they’re looking at putting some restrictions in place.
You can listen to episode one by clicking play below, if that embedded link works for you. If not, click :