Report Shows the Equifax Breach was "Entirely Preventable"

It's always great to see our hard earned tax dollars put to good use. The US government recently released a report showing the spectacular breach of Equifax last year was entirely preventable if Equifax only made some reasonable efforts to protect themselves - and our data. This post outlines some of the report’s most significant discoveries, and how you can defend yourself better than Equifax did.

The report

The House Oversight and Government Reform Committee have released a staff report after a 14-month investigation into the Equifax breach that has been well documented as one of the largest security incidents in U.S. history, affecting over 148 million consumers. As most readers are already aware, Equifax failed to patch a known vulnerability in Apache Struts, a very commonly used open source Java web framework.

The committee sifted through over 122,000 pages of documents and interviewed three former Equifax employees, who were directly involved with Equifax’s IT teams, to help their investigations and create the report which you can read in full here.

The report confirms that “Equifax did not see the data exfiltration because the device used to monitor network traffic had been inactive for 19 months due to an expired security certificate”. Once Equifax updated the certificate two months later, their staff “immediately noticed suspicious web traffic.”

The mistake: one security expert to rule them all

Most notably, Equifax’s former CEO Richard Smith, who retired soon after the incident, blamed a single member of IT staff for failing to patch the Struts library that contained the known vulnerability. Smith informed the committee about the error which leads to the incident as follows:

“The human error was that the individual who’s responsible for communicating in the organization to apply the patch did not”

Believing that the blame sat with a single person shows how far Equifax was at the time from adopting good security practices throughout their teams. The core error was to have a security process that relies on any one individual rather than to share the security responsibility across teams, starting with developers.

The report findings also describe an “execution gap between IT policy development and operation.” This information paints a picture of Equifax running siloed engineering, operations and security teams that do not integrate operational or security practices into their development workflows or application lifecycles.

These are the core issues which DevSecOps aims to solve, by shifting much of the security testing left allowing vulnerabilities in code and open source libraries to be identified and fixed as early and as quickly as possible. The security responsibilities are therefore shared across *all* developers, and security tests are baked into all stages throughout the development workflow. This is a stark contrast to how Equifax relied on a single member of staff.

The solution: integrating security into the development workflow

Let’s use good DevSecOps practices to show how the Equifax breach via the vulnerable Struts library could have been prevented by a development team, rather than relying on an individual. There were two days between the Apache Struts vulnerability disclosure and the first exploit on the Equifax application. Let’s work our way from development through to production to see where this security issue should have been identified and fixed.

Development: If the application code was still being actively developed, development teams would be locally developing, building and testing the application. Integrating security testing to identify vulnerable dependencies would flag issues via notifications in IDEs and builds, making it clear to whole teams of developers that the new vulnerability exists as well as offering automated remediation advice via pull requests or directly in IDEs.

CI: Any new build run by a CI server would automatically test application dependencies via a CI server plugin or a CLI invocation as a task. This would immediately flag the new vulnerability, breaking the CI job and forcing a remediation action before continuing.

Monitoring: Whether or not applications are being actively developed or not, if they’re running in production they should be actively monitored. Any new vulnerabilities that are disclosed could will then be dealt with immediately. Notifications would be sent to development teams to fix the vulnerabilities via preferred channels, such as automatic PRs, emails or slack messages along with the required upgrades necessary to eliminate the issue.

Runtime: Using runtime security tools, any abnormalities in behavior or vulnerable function invocations would immediately be flagged allowing teams to react to security incidents as they happen.

Key findings

The report produces five key findings from the security incident, as documented by the committee, as follows:

1. Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.

2. Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.

3. Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.

4. Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business-critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyber attack.

5. Unprepared to support affected consumers. After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.

If you haven’t yet tried it out, you’re welcome to test your application projects with Snyk for free! We’ll start scanning and monitoring them for vulnerabilities that you currently have and help you eliminate them from your codebase.