Equifax is one of the world’s largest credit reporting agencies (CRA), creating credit reports from consumer data which is sold to third parties. Being high value cyber targets, CRAs are subject to high data security requirements imposed by various bodies (U.S. Senate. COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS, 2017).
Security challenges were created during rapid expansion involving a series of acquisitions involving a range of custom and legacy systems (U.S. House.Committee on Oversight and Government Reform, 2018). This contributed to an unpatched vulnerability in their Automated Customer Interview system (ACIS) and subsequent exploitation in 2017, leading to the theft of PII of 148 million Americans. The Equifax case demonstrates a number of core issues we covered this week.
The theft of consumers PII was a breach of confidentiality & privacy. It also wasn’t respected during regular operations with files left out in plain sight and staff openly revealing PII during conversations in the office (Riley et al., 2017).
Consumers’ property and ownership were affected, they had no ownership of their information, many having no knowledge of its existence – Senator Sherrod Brown stated: there was a “Lack of transparency and control by consumers” (U.S. Senate. COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS, 2017). Equifax appeared to view the data as their property, with the CEO stating that it was given to them for free by the banks, they processed it and sold it back to the banks with a 90% margin. (Riley et al., 2017).
Although millions were invested in resources, including security systems and network activity monitoring, they were not allocated appropriately. This was evidenced by the expiry of security certificates and not all stakeholders being emailed by Graeme Payne, the head of security.
Following the attack, Equifax did well in some areas of transparency, secrecy and disclosure; they: re-engaged Mandiant, notified the FBI and set up a website and call centre to support consumers when they went public. But there was a culture of secrecy when it came to security. Before the attack, the CEO was allegedly on a ‘top secret’ project involving security, before a dispute saw the termination of Mandiant’s contract just before the attack. And at least one Equifax executive exercised his stock options in the period between discovering the breach and going public, being sentenced for insider trading (U.S. Department of Justice, 2019) – an action which the culture of secrecy didn’t impede. They also lacked operational transparency, lacking visibility of risks and systems across various parts of the business, this contributed to the expired security certificate going unattended for 19 months and failure to detect unpatched systems.
The practical steps to prevent this attack were well documented during investigations. There should have been functional, centralised reporting and performance verification of all systems which housed PII. There were tools in place to scan these systems to verify that patches had been made (Fruhlinger, 2020), but they were not working. Clear lines of reporting and incident communication protocols (eg: the recipient needs to acknowledge receipt of an email of a certain incident code) should have been established, this could have helped in the event of failure of these aforementioned monitoring systems: management could easily verify that communications were received and action was underway and flag the monitoring issue.
A culture of security would have helped mitigate the risks of human error – where each individual took it seriously and as their personal responsibility: the expired security certificate may have been noticed and updated; the person responsible for patching the ACIS may have notified their manager that they weren’t receiving security related emails and would then have received the email alerting the need for the system patch; Mandiant’s services may not have been terminated and the attack may have been detected earlier.
I think this case indicates a lack of just culture – Graeme Payne was fired, perhaps he should have been, but Equifax’s CEO’s admission that “human error and a failure to communicate the need to apply a patch as underlying reasons for the breach” (U.S. House. Committee on Oversight and Government Reform, 2018) demonstrates a lack of just culture by blaming proximal causes (people not being notified, actions not being taken) rather than identifying: systemic technical issues such as poor integration; and cultural issues in a company where “security was viewed as a bottleneck,” (Riley et al., 2017). My number one recommendation would be the adoption of a just culture with a focus on security.
References
Fruhlinger, J. (2020, February 12). Equifax data breach FAQ: What happened, who was affected, what was the impact? CSO Online. https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html
Riley, M., Robertson, J., & Sharpe, A. (2017, September 29). The Equifax Hack Has the Hallmarks of State-Sponsored Pros. Bloomberg. https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros
U.S. Department of Justice. (2019, June 27). Former Equifax employee sentenced for insider trading. Department of Justice. https://www.justice.gov/usao-ndga/pr/former-equifax-employee-sentenced-insider-trading
U.S. Department of Justice. (2020, February 10). Chinese military personnel charged with computer fraud, economic espionage and wire fraud for hacking into credit reporting agency Equifax. Department of Justice. https://www.justice.gov/opa/pr/chinese-military-personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking
U.S. House. Committee on Oversight and Government Reform. (2018). The Equifax Data Breach. https://republicans-oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf
U.S. Senate. COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS. (2017, October 17). Examining the protection of consumer data at credit bureaus in the wake of the Equifax Data Breach. GovInfo. https://www.govinfo.gov/content/pkg/CHRG-115shrg28249/html/CHRG-115shrg28249.htm
