A Comprehensive Report on Equifax Data Breach

1.Introduction

In 2017, Equifax, a primary credit reporting agency, experienced a data breach that affected 147 million consumers, including personal information such as Social Security numbers and birth dates. In addition, the breach also exposed financial data such as credit card numbers and dispute documents. The cause of the breach was a vulnerability in Equifax’s website software, Apache Struts, which had been disclosed and patched several months before the Equifax breach but was not patched on time. The breach was discovered on July 29, but Equifax did not publicly announce it until September 7, which led to a drop in the company’s stock value and numerous lawsuits and government investigations.

The CEO of Equifax stepped down shortly after the breach was announced. The company agreed to pay up to $700 million to settle consumer claims and government investigations, improve data security, and undergo regular third-party audits. Several Equifax executives were also charged with insider trading for selling stock before the breach was made public. The breach also affected Canadian and UK consumers, with an estimated range of under 400,000 to 44 million British and 8,000 Canadian residents. Equifax has set aside $1.4 billion for related costs, and the incident has impacted consumer trust in credit reporting agencies. Additionally, it led to increased scrutiny of credit reporting agencies and their security practices and increased calls for more robust data protection laws and regulations. The incident has also led to increased identity theft and scams related to the breach.

equifax-data-breach

2.Data Breach Aftermath

There were reports of three Equifax executives selling stock worth seven figures within days when the company claimed to have discovered the breach. After the announcement, Equifax’s CEO resigned, and the company’s CIO and CSO retired.

However, the most striking aspect of the Equifax data breach is that the data has disappeared completely. Despite the sensitive personal information of 147 million individuals being stolen, it has not appeared on underground websites selling stolen information. Security experts have not seen the data used in any way they would expect in a theft of this magnitude. Experts believe that the thieves were working for a foreign government and are using the information, not for financial gain but to try to identify and recruit spies.

One cybersecurity analyst at a central bank, who asked to remain anonymous, has made the missing Equifax data a 17-month-long obsession. As a “hunter” on the bank’s “hunt team,” his job is to search for data on the dark web, but even with his expertise, he has been unable to find any trace of the stolen personal information. He and other experts believe the data has been so hidden that it may never be found.

The Equifax data breach has resulted in significant changes to credit freeze laws and regulatory oversight of credit rating agencies. Still, the question of where the data has gone still needs to be answered. The fact that it has disappeared completely has led experts to believe that a nation-state stole it for spying purposes rather than by criminals looking to profit from stolen identities.

3.Technical Details

The cause of the breach was a vulnerability in the company’s web servers that used Apache Struts, an open-source MVC Java framework. The vulnerability, CVE-2017-5638, was a Remote Code Execution (RCE) exploit found and patched by the Apache Foundation on March 7, 2017. However, Equifax failed to install the patch on their servers, leaving them vulnerable to exploitation.

Once the hackers accessed the servers, they used the exploit to access internal servers on Equifax’s corporate network. The information first pulled by the hackers included internal credentials for Equifax employees, which then allowed the hackers to search the credit monitoring databases under the guise of an authorized user. Using encryption to mask their searches further, the hackers performed over 9000 scans of the databases, extracted information into small temporary archives that were then transferred off the Equifax servers to avoid detection, and removed the quick archives once complete.

The data accessed by the hackers included personal information such as names, dates of birth, Social Security numbers, addresses, and credit card numbers. Credit card data from transactions involving more than 200,000 credit cards, some dating back to November 2016, was also compromised. This raises concerns about the security protocols at Equifax, as the storage and handling of credit card data are regulated by the PCI Standards Security Council, which requires all stored data to be encrypted.

4.The Chinese Military’s Role

According to a criminal indictment unsealed by the U.S. Department of Justice, four members of the Chinese military exploited a flaw in software that allowed U.S. consumers to dispute problems with their Equifax credit reports, giving the hackers access to Americans' personal information. The indictment also states that Equifax security officials failed to install a software upgrade that had been recommended to prevent digital intruders from obtaining access to the victims' information. The U.S. Department of Justice has charged these 4 individuals, Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei, for being the masterminds behind the hack.

5.Impact of the Breach

The mishandling of credit card data could negatively impact Equifax more than the exposure of critical information about nearly a third of US residents. Visa and MasterCard both published hidden alerts to banks in their networks this week about the card exposure, explicitly blaming Equifax for the breach. The direction suggests that Equifax was either not encrypting stored credit card data or that some component of the company’s Java-based software gave the attackers the ability to access data. Retaining that data would have violated the PCI Standards Security Council standards, which require all stored data to be encrypted.

6.Rick Smith, Chairman and CEO of Equifax Statement Summary

Equifax announced a cybersecurity incident that impacted those relying on them to protect their personal information. On July 29th of this year, they discovered that attackers had gained unauthorized access to specific Equifax data files. They immediately stopped the intrusion, engaged a leading cybersecurity firm to conduct a comprehensive forensic review, and reported the event to law enforcement. The unauthorized access occurred between mid-May and July. The study found no unauthorized activity on their core credit reporting databases. Equifax profoundly regrets this incident and has apologized to every affected consumer and all of its partners. They are taking unprecedented steps to support consumers, such as offering every US consumer in the country a comprehensive package of identity theft protection and credit file monitoring at no cost, opening a particular call center, launching a dedicated website to provide consumers with information, and reaching out to their business customers, regulators, and other government officials to brief them on the situation and their ongoing actions. They believe this incident is a test for them, and their priority is to support consumers and strengthen their data security capabilities.

7.Equifax’s Response

Equifax has since made significant investments to bolster its data protection, including $1.25 billion for “enhanced security and technology” from 2018 to 2020. However, it is worth noting that there is currently no federal law requiring companies to inform the public about data breaches in the US. Some states have enacted their breach notification statutes. In the European Union, a single breach notification standard for personal data was agreed upon at the end of 2015 and is set to come into force in May 2018 under the General Data Protection Regulation (GDPR), which requires data controllers to disclose a personal data breach to a national supervisor data authority not later than 72 hours after becoming aware of an intrusion.

8.NIST CSF and Equifax Breach

The Equifax breach also highlights the importance of compliance with industry standards such as the NIST Cybersecurity Framework (CSF). The CSF provides a framework for organizations to manage and protect sensitive information. Equifax’s failure to comply with these standards ultimately led to a significant data breach.

Identify: Equifax should have regularly assessed and updated its security controls to ensure they were practical and up-to-date. They should have limited access to sensitive data to only those who need it, using the principle of least privilege. They should have also continuously monitored and audited network activity for suspicious behavior.

Protect: Equifax should have implemented multi-factor authentication for accessing sensitive systems and data. They should have regularly conducted vulnerability scans and penetration testing to identify and remediate weaknesses. They should have also used encryption to protect sensitive data in transit and at rest.

Detect: Equifax should have regularly trained their employees on security best practices and company policies. They should have had an incident response plan and tested it regularly to prepare for a data breach. Equifax should have implemented software and system updates and patches as soon as they become available. They should have had a security-related incident and event management processes to detect and respond to potential breaches.

Respond: Equifax should have had an incident response plan and tested it regularly. They should have notified affected parties and authorities as soon as possible. They should have contained the incident to limit the damage.

Recover: Equifax should have had a plan in place for data restoration and recovery. They should have implemented measures to prevent similar incidents in the future. They should have reviewed the incident response plan and updated it if needed.

9.IAM and Equifax Breach

InIdentity and Access Management(IAM), Equifax’s failure to properly update its software and patch known vulnerabilities played a significant role in the breach. The attackers were able to exploit a known vulnerability in the Apache Struts framework, which is used in many web applications, including Equifax’s. This highlights the importance of regular software updates and patch management in IAM to prevent unauthorized access to sensitive information.

Authentication: Equifax should have implemented robust authentication methods, such as multi-factor authentication, to verify the identity of users and systems accessing sensitive data. This could have helped to prevent unauthorized access to the system.

Authorization: Equifax should have implemented robust authorization controls to determine which users and systems were allowed to access sensitive data. This could have limited the scope of damage by preventing unauthorized access to the data.

Role-based access control (RBAC): Equifax should have implemented RBAC to control access to sensitive data based on the roles and responsibilities of users within the organization. This could have prevented employees from accessing data they were not authorized to see.

Single sign-on (SSO): Equifax should have implemented SSO to allow users to authenticate once and then access multiple systems or applications without re-entering their credentials. This could have reduced the risk of password-related breaches.

Federation: Equifax could have implemented a partnership to share identity information between different systems or organizations, allowing users to access resources across multiple domains with a single set of credentials. This could have reduced the number of identities and certificates that must be managed and protected.

Identity governance: Equifax should have implemented an identity governance framework to manage and audit the lifecycle of user identities, including creating, modifying, and disabling accounts. This could have helped to detect and prevent malicious activity.

Self-service: Equifax should have implemented a self-service system allowing users to manage their identities and access, such as resetting passwords or requesting access to new resources. This could have reduced the risk of human error or employee malicious activity.

Multi-Factor Authentication (MFA): Equifax should have implemented MFA for accessing sensitive data. This could have prevented unauthorized access to the system by requiring the user to provide a combination of two or more factors to prove their identity.

10.CIA Triad and Equifax Data Breach

In the context of the Equifax data breach, the CIA triad concepts could have been applied as follows:

Confidentiality: Equifax should have implemented measures to protect sensitive information from unauthorized access or disclosure, such as encryption, access controls, and data classification. This could have helped to prevent the unauthorized access and exfiltration of sensitive data.

Integrity: Equifax should have ensured the accuracy, completeness, and authenticity of its data, such as data validation, input validation, and data backups. This could have helped to prevent malicious actors from altering or corrupting the data.

Availability: Equifax should have ensured that their information was accessible and available to authorized users when needed, such as disaster recovery, load balancing, and failover. This could have helped to minimize the impact of a data breach or other incident on their operations.

It’s worth noting that while the application of these concepts could have helped in preventing or mitigating the Equifax data breach, there could have been other factors that contributed to the incident. It’s impossible to know for sure if these measures would have been sufficient without more information on the specifics of the incident.

11.Defense in Depth and Equifax Data Breach

In the context of the Equifax data breach, the Defense in Depth concepts could have been applied as follows:

Multiple layers of defense: Equifax should have implemented numerous security controls such as firewalls, intrusion detection systems, antivirus software, and access controls to protect against threats. This could have helped to prevent unauthorized access to sensitive data.

Redundancy: Equifax should have had multiple security controls to provide redundancy in case one layer is breached. This could have helped to mitigate the impact of a security incident.

Segmentation: Equifax should have separated different parts of the network and created security zones to limit the scope of a potential security incident. This could have helped prevent a security incident’s spreading to other parts of the network.

Resilience: Equifax should have designed its security infrastructure to withstand and recover from a security incident. This could have helped to minimize the impact of a security incident.

Continuous monitoring and improvement: Equifax should have monitored its security infrastructure for potential vulnerabilities and taken action to remediate them. This could have helped to prevent the security incident from happening in the first place.

Regardingdefensive measures, Equifax failed to properly segment its network, allowing attackers to move laterally and access more sensitive information. This highlights the importance of network segmentation and limiting access to sensitive information only to those needing it. Additionally, Equifax’s detection mechanisms were ineffective, as the breach went undetected for 76 days. This highlights the importance of robust incident detection and response capabilities to identify and contain violations quickly.

Regardingoffensive measures, the attackers used sophisticated techniques to evade detection and exfiltrate data. They used encryption to mask their searches, extracted information into small temporary archives, and transferred the data off Equifax’s servers. This highlights the need for proactive threat hunting and incident response capabilities to detect and respond to advanced persistent threats.

12.What organizational and governance issues contributed the most to the breach?

Equifax needed more security measures in place to protect its systems. The company did not correctly segment its networks, which would have limited the fallout if a hacker had broken through. This lack of segmentation allowed the hackers to access multiple servers and sensitive files. Furthermore, Equifax’s security team failed to detect the suspicious network traffic, which allowed the hackers to continue to extract data for 76 days.

The vulnerability had been identified by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (U.S. CERT) on March 8th, and Equifax had received a notification to patch the vulnerability. However, the company did not correctly identify or restore the vulnerable version of Apache Struts, allowing the exposure to remain in an Equifax web application for longer than it should have.

Another issue was the failure of Equifax’s security scans to identify systems vulnerable to the Apache Struts issue. On March 15th, the company’s information security department ran scans that were supposed to identify any vulnerable systems, but unfortunately, the scans did not identify the Apache Struts vulnerability. This failure to recognize the exposure allowed the attacker to access sensitive information on May 13th and continue to access sensitive information until July 30th.

The Equifax security department also failed to detect illegal access during this period. On July 29th, the security department observed suspicious network traffic associated with the consumer dispute website but only took appropriate action on July 30th, when they took the web application offline. This delay in detecting and responding to suspicious activity allowed the attacker to access sensitive information for an extended period.

Another area for improvement was the need for more communication and coordination within the company. The CEO, Richard Smith, was informed of the attack’s suspicious activity or scope on July 31st, and the company’s CIO and CSO resigned shortly after the breach was announced. Communication and coordination within the company could have helped the company respond to the violation effectively and contain the damage.

Finally, there was the issue of insider trading. A former Equifax executive, Jun Ying, was indicted by a federal grand jury on criminal charges of insider trading for selling nearly $1 million of company stock just days before the credit reporting company announced a massive data breach last summer. The SEC said Wednesday that he could avoid $117,000 in losses. He sold the equivalent of $950,000 in the stock market.

The Equifax data breach is a clear example of how organizational and governance issues can contribute to a data breach. The failure to update systems and implement proper security measures and the lack of incident response and data recovery plans allowed the hackers to access and extract sensitive information. Companies must prioritize information security and have proper incident response plans to minimize a data breach’s impact. Additionally, organizations must adhere to industry standards such as NIST Cybersecurity Framework (CSF), which provides a framework for organizations to manage their cybersecurity risks. Equifax’s breach highlights the importance of implementing strong governance and security policies and having the right processes to prevent and respond to cyber incidents.

13.Based on your research and learning, what was one of the major root causes that contributed to the breach? What outstanding issue or immediate vulnerability was identified as the root cause of the breach? What specific systems or software were vulnerable to attack and exploitation?

The Apache Struts framework is open-source for building web applications using Java programming. It is widely used by organizations of all sizes, including Fortune 100 companies. In March 2017, a critical security patch was released for Struts after discovering a vulnerability. The patch addressed a specific issue known as a Remote Code Execution (RCE) vulnerability, which allows an attacker to run code on the server and gain access to sensitive information.

The vulnerability, CVE-2017-5638, was discovered on March 10, 2017, and the Apache Foundation immediately released a patch. However, Equifax failed to install the patch, so their systems remained vulnerable to attack. This failure to promptly apply security updates is a common issue that organizations face and highlights the importance of continuous monitoring and maintenance of systems and software.

Despite the availability of this patch, Equifax failed to update their systems promptly, leaving them vulnerable to attack. The breach is believed to have started on May 12, 2017, and continued for 76 days until Equifax discovered the intrusion on July 29, 2017. The attackers exploited the RCE vulnerability in the Struts framework to access Equifax’s internal servers and sensitive customer data.

In addition to the vulnerability in the Struts framework, the breach also highlighted organizational and governance issues within Equifax. The company’s security team failed to install the recommended software upgrade, despite the critical nature of the vulnerability. This failure to patch known vulnerabilities is a common issue that organizations face, highlighting the importance of having a robust vulnerability management program.

Furthermore, Equifax’s network design and breach detection mechanisms were also inadequate, making it easier for attackers to access sensitive information. The company’s security protocols were not sufficient to protect customer data, which resulted in a significant loss of personal information for millions of Americans.

14.What are Equifax’s major missteps regarding the breach that caused further damage?

One of the first missteps was their initial response on social media. The company’s initial tweets about the data breach did not mention the extent of the problem or include any information about how many people were affected. This led to confusion and frustration among consumers, further damaging the company’s reputation.

In the wake of the breach, the company offered free credit monitoring services to affected customers. However, the terms of service for these services include arbitration clauses that would have prevented customers from suing Equifax over the breach. This caused further customer outrage and was seen as an attempt to limit Equifax’s liability for the violation.

Another significant need for improvement was the company’s handling of the customer service response. Consumers trying to find out if their information had been compromised faced long wait times and a need for more precise information from customer service representatives. Additionally, Equifax’s website for checking if your information had been compromised needed to be fixed and was challenging to navigate.

The company took over a month to inform consumers about the breach. There needed to be more transparent and consistent communication about the extent of the breach and what measures were being taken to address it. This caused confusion and mistrust among customers, who felt that Equifax was not transparent about the situation.

Finally, Equifax’s handling of the stock sales by three executives days after the data breach was discovered and before it was announced was seen as callous and insensitive. This raised suspicions among the public and further damaged the company’s reputation.

15.Knowing how Equifax responded, what would you have done differently if you had been the head of their incident response team?

I want to address the significant missteps during the company’s response to the 2017 data breach. In retrospect, there are several key areas where different decisions and actions could have minimized the damage caused by the breach.

First and foremost, I prioritize patching the known vulnerability in the Apache Struts software exploited by the attackers. It was a critical issue identified and addressed by the Apache Foundation, yet Equifax did not adequately address it. By failing to install the software upgrade, the systems were vulnerable to intrusion. In the future, I would ensure that all software vulnerabilities are identified and patched on time and that regular vulnerability assessments are conducted to identify and address potential security threats.

Another major misstep was the delay in disclosing the breach to the public. Equifax discovered the breach on July 29, 2017, yet it took over a month for the company to inform consumers about the incident. This delay only eroded public trust and increased the potential for damage. In the future, I would ensure that any data breaches are disclosed as soon as possible and that all necessary steps are taken to minimize the potential harm to customers and the company.

Additionally, Equifax’s incident response plan should have addressed the scope and severity of the breach adequately. The company’s incident response team could not quickly identify and contain the breach, resulting in a prolonged and costly cleanup process. In the future, I would ensure that our incident response plan is regularly reviewed and updated to address the latest security threats and that our incident response team is adequately trained and equipped to handle a significant data breach.

Lastly, Equifax’s failure to encrypt sensitive customer data was a significant misstep that contributed to the severity of the breach. The company’s unencrypted credit card data retention violated industry standards and exposed sensitive financial information. In the future, I would ensure that all sensitive customer data is appropriately encrypted and we comply with industry standards and regulations.

In summary, the key areas that I would have addressed differently as the head of Equifax’s incident response team include; timely patching of known vulnerabilities, timely disclosure of the breach, developing an incident response plan that addresses the scope and severity of the breach, and ensuring that all sensitive customer data is adequately encrypted and in compliance with industry standards and regulations.

16.What steps could Equifax have taken to prevent this breach or lessen its impact? What processes or practices could have been employed or enhanced to effectively prevent or mitigate such an outcome?

One key step would have been to prioritize patching known vulnerabilities in their software, such as the Apache Struts vulnerability that the attackers exploited. Equifax’s failure to fix this vulnerability promptly was a significant contributing factor to the breach.

Another important step would have been implementing a robust incident response plan and conducting regular incident response exercises to ensure that the company was prepared to respond quickly and effectively during a breach. This could have included regular security training for employees and clear communication protocols for responding to a violation.

To enhance security and prevent breaches, Equifax could have also implemented additional layers of security, such as network segmentation, which helped to limit the scope of the attack and minimize the amount of compromised data. Additionally, they could have taken steps to better encrypt sensitive data at rest and in transit to make it more difficult for attackers to access the data even if they could access the company’s systems.

Lastly, Equifax could have improved its security monitoring and incident detection capabilities by implementing a security information and event management (SIEM) system. This system would have provided real-time visibility into network and security events, which would have helped Equifax to detect and respond to the attack more quickly.

17.What are the key lessons you learned from the Equifax case study? And what lessons are there for other organizations?

The Equifax case study reminds organizations to prioritize cybersecurity as a critical business function and invest in the necessary resources and personnel to protect their systems and data effectively. This includes having a dedicated cybersecurity team, implementing regular security training and awareness programs for employees, and investing in the latest security technologies.

The case also highlights the importance of conducting regular security assessments and penetration testing to identify vulnerabilities in the system. Equifax should have recognized that its systems were vulnerable to attack and taken steps to mitigate them. Regular security assessments and penetration testing can help organizations identify vulnerabilities before hackers can exploit them.

Additionally, the Equifax case study highlights the importance of data protection and encryption. The exposure of millions of customers' sensitive personal and financial information highlights the importance of encrypting sensitive data when stored.

18.Conclusion

This data breach is considered one of history’s most significant data breaches. It raises concerns about security at credit bureaus, leading to calls for more oversight from regulators and lawmakers. Equifax’s failure to install a software upgrade and the company’s poor encryption practices were significant factors in the data breach. It highlights the importance of timely updates and security measures for companies with sensitive information about individuals.

References :