US Senate delivers scathing report on Equifax breach


By Dylan Bushell-Embling
Thursday, 11 April, 2019

US Senate delivers scathing report on Equifax breach

US credit reporting agency Equifax left itself open to attack due to poor cybersecurity practices and policies at the time it fell victim to a data breach that exposed the personal records of 145 million American residents, a government investigation has found.

A report from the US Senate Permanent Subcommittee on Investigations into the 2017 Equifax data breach delivers a stinging indictment of the company’s security awareness.

According to the report, Equifax had failed to prioritise cybersecurity for some time prior to the breach. The company had no standalone formal policy governing patching of known security vulnerabilities until 2015.

An audit completed at the introduction of this policy determined that the company was not following its own patching policy, and no further audit was conducted to assess whether this shortcoming had been addressed.

The report found that Equifax could not even follow its own policies in patching the Apache vulnerability that ultimately caused the breach — its patching policy required the IT department to patch critical vulnerabilities within 48 hours, but while the company was aware of the vulnerability for at least two months prior to the initial breach, it failed to take action due to poor governance.

Once the breach occurred, the company was unable to detect attackers entering the networks because it failed to take the actions required to observe incoming malicious traffic.

This oversight involved continuing to operate with an expired SSL certificate for the online dispute portal that acted as the initial point of entry for the attackers.

Other key findings of the report include the fact that Equifax waited six weeks before notifying the public of the breach; that the damage done by the attack could have been minimised if the company had better internal network security practices; and that two rival credit rating agencies — TransUnion and Experian — were both targeted in but avoided a similar attempted breach.

Image credit: ©stock.adobe.com/au/raccoondaydream

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related News

CrowdStrike to buy Adaptive Shield

CrowdStrike is augmenting its SaaS security capabilities through the acquisition of Israeli-based...

LockBit named nastiest malware of 2024

LockBit, a ransomware malware known to have been used to attack Australian targets, has been...

Extreme Networks launches ZTNA solution

Extreme Networks' new ExtremeCloud Universal ZTNA solution combines cloud network access...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd