Congressional Report on Equifax Data Breach: A Lesson in Cybersecurity Complacency

By Michael A. Shapiro, Esq., an attorney with XPAN Law Group, LLC.

In September of 2017, Equifax Inc., one of the largest consumer reporting agencies, announced that it suffered a data breach involving personally identifiable information (PII) of over 145 million Americans, almost half of the United States population. The stolen data included names, social security numbers, birth dates, addresses, as well as driver’s license and credit card numbers.  The breach led to changes in credit freeze laws and new regulatory oversight over credit ratings agencies.

Last week, the Senate Homeland Security and Governmental Affairs Committee’s Permanent Subcommittee on Investigations released a Report of its investigation into the incident, pointedly titled “How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach,” which recommended establishing uniform federal standards for protection of PII and reporting of data breaches.  The Subcommittee also held a hearing last week where Equifax CEO Mark Begor and Marriott CEO Arne Sorenson testified about high-profile breaches at their companies.  

The Report concluded that even though a number of factors contributed to the Equifax breach,  they all reflected the company’s broader culture of complacency toward cybersecurity preparedness.  For example, in 2015, Equifax conducted an audit which revealed a number of deficiencies in the company’s management of cybersecurity vulnerabilities, including a lack of comprehensive IT inventory (i.e. Equifax lacked a complete understanding of the assets it owned).   Equifax never conducted a follow-up audit and several issues identified in 2015 remained unaddressed leading to the 2017 data breach.

The immediate cause of the breach was a critical vulnerability in a certain version of Apache Struts – a widely used piece of web application software.  Equifax learned of the Apache Struts vulnerability more than two months before hackers gained access into its system.  Equifax security staff circulated a vulnerability alert via an internal email that went to 400 employees.   However, the Equifax developer who was aware of its use of Apache Struts software was not included in the email distribution and never received the alert.  Even though Equifax subsequently scanned its systems for the vulnerable version of Apache Struts, the scans did not identify its presence on the network. As Equifax still lacked a comprehensive inventory of its IT assets, it did not know that the vulnerable version of Apache Struts remained on its system.

Furthermore, Equifax was unable to detect attackers entering its network because it failed to take the steps necessary to seek incoming malicious traffic online.  Specifically, Equifax failed to timely update a relevant SSL Certificate which allows companies to examine encrypted network traffic.   Equifax’s inability to decrypt and inspect incoming traffic from a hacked portal due to the expiration of the Certificate delayed its ability to detect the breach for seventy-eight days.

The damage done by the hackers could also have been minimized. The hackers initially gained access to the Equifax’s online dispute portal.   From there, they could access credentials to other databases and applications because some Equifax employees saved those credentials on a file share. Hackers could also access certain other databases because of lack of network segmentation within the relevant environment.  Network segmentation restricts unnecessary access to other systems once a user is inside a particular environment and is a standard recommended in the NIST cybersecurity framework.  Equifax, however, made a business decision not to segment its system in favor of more efficient business operations and functionality.  In addition, at the time of the breach, Equifax lacked basic tools and processes to detect and identify changes to files accessible through its online dispute portal that could have generated real-time alerts of any unauthorized changes made by the hackers.   

Once Equifax discovered the breach and began an investigation, it waited six weeks to inform the public of the breach.  Other companies who have suffered data breaches have waited for varying periods of time before notifying the public. For example, Target made a public announcement within seven days of learning about its 2013 breach which affected over 40 million customer payment card accounts.  Yahoo!, on the other hand, had not disclosed a 2013 breach which affected all 3 billion of its account users, for over three years.  

In light of its investigatory conclusions, the Subcommittee recommended that:

  1. Congress should pass legislation that would establish a national uniform standard requiring private entities that collect and store PII to take reasonable and appropriate steps to prevent cyberattacks and data breaches.
  2. Congress should pass legislation requiring private entities that suffer a data breach to notify affected consumers, law enforcement, and federal regulatory agencies without unreasonable delay.  
  3. Congress should explore the need for additional efforts to share information with private companies about cybersecurity threats and disseminate cybersecurity best practices that IT asset owners can adopt.
  4. Federal agencies with a role in ensuring private entities take steps to prevent cyberattacks and data breaches and protect PII should examine their authorities and report to Congress with any recommendations to improve effectiveness of their efforts.

The Subcommittee’s recommendations underscore the need for a comprehensive federal privacy and data security framework.  Indeed, some recent legislative proposals include provisions that would require companies that collect personal data to take reasonable steps to safeguard the information and a recent U.S. Government Accountability Office Report has already recommended creating new rulemaking and penalty authorities in the Federal Trade Commission (see a breakdown of that Report in our blog here).  A uniform federal data breach notification standard would also be welcomed by the business community and consumers alike.  The proverbial patchwork of state breach notification laws imposes significant compliance costs and creates uncertainty for companies and consumers responding to data breaches.

The main lesson that companies, big and small, should take from the Equifax breach is that cybersecurity complacency equals vulnerability.  Even though data breaches, like death and taxes, are inevitable, a proactive and diligent approach to data security will go a long way towards minimizing and managing your company’s risk.