US Senate delivers scathing report on Equifax breach
US credit reporting agency Equifax left itself open to attack due to poor cybersecurity practices and policies at the time it fell victim to a data breach that exposed the personal records of 145 million American residents, a government investigation has found.
A report from the US Senate Permanent Subcommittee on Investigations into the 2017 Equifax data breach delivers a stinging indictment of the company’s security awareness.
According to the report, Equifax had failed to prioritise cybersecurity for some time prior to the breach. The company had no standalone formal policy governing patching of known security vulnerabilities until 2015.
An audit completed at the introduction of this policy determined that the company was not following its own patching policy, and no further audit was conducted to assess whether this shortcoming had been addressed.
The report found that Equifax could not even follow its own policies in patching the Apache vulnerability that ultimately caused the breach — its patching policy required the IT department to patch critical vulnerabilities within 48 hours, but while the company was aware of the vulnerability for at least two months prior to the initial breach, it failed to take action due to poor governance.
Once the breach occurred, the company was unable to detect attackers entering the networks because it failed to take the actions required to observe incoming malicious traffic.
This oversight involved continuing to operate with an expired SSL certificate for the online dispute portal that acted as the initial point of entry for the attackers.
Other key findings of the report include the fact that Equifax waited six weeks before notifying the public of the breach; that the damage done by the attack could have been minimised if the company had better internal network security practices; and that two rival credit rating agencies — TransUnion and Experian — were both targeted in but avoided a similar attempted breach.
Logistics and e-commerce technology company Pitney Bowes is working to restore services after a...
The board of UK-based security company Sophos will unanimously recommend a US$3.82bn takeover...
Security company Proofpoint has provided details of a staged malware downloader they are calling...