Equifax Data Breach, A showcase of negligence and incompetency

Javid Chizari

10/13/2022

Equifax, one of the three major consumer credit reporting companies with over 118 years[1] of history, had miserably failed to securely contain our personal information and acknowledged one of the largest data breaches in America, exposing the PII[2] of 147[3] million people, including names, social security numbers, birth dates, addresses, and driver’s license numbers. Although a data breach of this magnitude signifies massive security incompetency by itself, to make it worse, the company failed to utilize a proper procedure for managing the breach, response, recovery, and notifications. Some of the executives took it even further and pursued personal greed[4], adding ethical and legal violations to this chaos, which led to paying up to $700 million in fines and financial assistance to consumers. In this paper, we will be briefly reviewing this breach as follow:

When?

The initial public announcement of Equifax on September 7, 2017 acknowledged that hackers had penetrated into their systems from mid-May through July.

How?

The hackers were able to exploit a flaw in third-party software[5] that enabled consumers to dispute their credit reporting inaccuracies. While the bug had been recognized, fixed, and a security patch[6] was deployed on March 19, 2017, Equifax ignored the crucial notifications and failed to update its systems. In addition, inadequate security measures in the system (such as network segmentation, credentials encryption, and network monitoring mechanism…) let attackers elevate and expand their access within the systems.

Who?

The US Department of Justice has officially charged four members (officers) of the Chinees People’s Liberation Army (PLA), effectively the Chinese government.

Why?

“Information is Power.”[7] The quality and extent of the Equifax data would be attractive for whoever is interested in gaining financial benefits or intelligence advantage. Either way, such an APT[8] leading to a vast data breach needed two important factors to succeed:1. 1- An adversary government, like China who can gain a substantial intelligence advantage from such data theft, especially against US officials, as the Justice Department pointed out[9].2. 2- Mismanagement in Equifax. The CSO[10] of Equifax from 2013 to 2017, Susan Mauldin, was a Music Composition graduate from the University of Georgia which was retired a week after the public disclosure along with David Web, CIO[11] of the company since 2010. The fact that the security team had decided to be dismissive of all prior warnings is astonishing. Warnings as significant as:a. An alert was given by a security researcher in December 2016, who had analyzed the company’s servers and found a similar vulnerability that was used to exploit in 2017.b. An earlier attack in March 2017 led to a separate and smaller security breach in which the company didn’t find any evidence of data theft and decided not to disclose it.c. Critical security vulnerability patch update, published in March 2017.

Lesson learned

Nuno Martins da Silveira Teodoro[12] believes: “while a breach may be your worst enemy, it can also be used to your advantage… take it a learning and focus on improving your response and better managing its impacts.”

There are steps to be taken to avoid such security breaches that Equifax has ignored and neglected. Adopting a cybersecurity framework or combination of them, such as NIST[13], ISO[14], or CIS,[15] could be the first and very important step in order to evaluate the assets, calculate the risks, and implement proper security measures. Taking these steps would lead to a better security posture.

Defensive measures:

The most effective defense strategy is believed to be multi-layered protection or DiD (Defense-in-Depth), which includes physical, technical, and administrative controls. Security measures like:

Implementing IAM (Identity and Access Management) framework[16] and minimizing the risks by improving the password policies, mitigating inside threats, and benefiting from MFA[17]
Installation, maintenance, and updating IDS[18] / IPS[19], and anti-malware to monitor, detect and prevent any anomaly in the system- Using Firewalls and WAF (Web Application Firewalls)
Network Segmentation
Implementing more restrictive network security policies such as least privilege and zero trust policies
Utilizing updating/patch management policies and guidelines
Leveraging SIEM[20] and SOAR[21] to optimize cybersecurity in the organization for achieving security maturity.

Offensive measures:

Defending against more sophisticated or Advanced Persistent Threats, such as states-supported hackers or organized cybercrime groups, requires more proactive or offensive cybersecurity strategies, preemptively identifying vulnerabilities before bad actors can exploit them (vulnerability scans), threat hunting, and penetration testing in combination with defensive measures, help organizations security teams or SOCs[22] to maximize efficiency, minimize threats, and better risks management.

----------------------------------------------------------------

[1] At the time of the data breach

[2] Personally Identifiable Information

[3] Based on FTC’s (Federal Trade Commission) announcement in September 2022. There have been several estimates around since discovering the data breach, but this paper will concede the FTC’s estimate as an official number.

[4] Some of the executives sold their Equifax stock before the public announcement about the data breach

[5] Apache Struts 2, an open-source web application framework.

[6] “Critical security vulnerability patch update”

[7] Robin Morgan

[8] Advanced Persistent Threat

[9] Justice News, Washington, DC, February 10, 2020

[10] Chief Security Officer

[11] Chief Information Officer

[12] Cyber Security and Privacy Officer / CISO at Huawei

[13] National Institute of Standard and Technology

[14] International Organization for Standardization

[15] Critical Security Controls