ISOL632 University of the Cumberlands Equifax Data Breach Article Review • Review the Equifax breach article below. Please provide a detailed description o

ISOL632 University of the Cumberlands Equifax Data Breach Article Review • Review the Equifax breach article below. Please provide a detailed description of how the attack occurred. Also discuss what factors from policy, personnel, and technology perspectives that contributed to the incident. • How was the impact of this breach quantified• Support your content with at least four (4) reputable sources. • Your final paper should be 1,000-to-1,250-words (Excluding title page and references), and written in APA Style. U.S. House of Representatives
Committee on Oversight and Government Reform
The Equifax Data Breach
Majority Staff Report
115th Congress
December 2018
Executive Summary
On September 7, 2017, Equifax announced a cybersecurity incident affecting 143 million
consumers. This number eventually grew to 148 million—nearly half the U.S. population and 56
percent of American adults. This staff report explains the circumstances of the cyberattack
against Equifax, one of the largest consumer reporting agencies (CRA) in the world.
Equifax is one of several large CRAs in the United States. CRAs gather consumer data,
analyze it to create credit scores and detailed reports, and then sell the reports to third parties.
Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt
out of this information collection process. Though CRAs provide a service in facilitating
information sharing for financial transactions, they do so by amassing large amounts of sensitive
personal data—a high-value target for cyber criminals.1 Consequently, CRAs have a heightened
responsibility to protect consumer data by providing best-in-class data security.
In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an
aggressive growth strategy, leading to the acquisition of multiple companies, information
technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s
bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems,
and expanded data security risks. In August 2017, three weeks before Equifax publicly
announced the breach, Smith boasted Equifax was managing “almost 1,200 times” the amount of
data held in the Library of Congress every day.2
Equifax, however, failed to implement an adequate security program to protect this
sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such
a breach was entirely preventable.
On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly
disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems.
The following day, the Department of Homeland Security alerted Equifax to this critical
vulnerability. Equifax’s Global Threat and Vulnerability Management (GTVM) team emailed
this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on
their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a
March 16 meeting about this vulnerability.
Equifax, however, did not fully patch its systems. Equifax’s Automated Consumer
Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in
1
After the Breach: The Monetization and Illicit Use of Stolen Data: Hearing Before the Subcomm. on Terrorism &
Illicit Finance of the H. Comm. on Financial Servs., 115th Cong. (2018) (testimony of Lillian Ablon, RAND
Corporation); see also J.P.MORGAN, CYBERCRIME: THIS IS WAR 1 (2013),
https://www.jpmorgan.com/tss/General/Cybercrime_This_Is_War/1320514323773.
(“Due to its potentially high value and its use in facilitating fraud through additional channels, PII has become a
valuable commodity in the world of cybercrime.”).
2
Richard Smith, Chief Exec. Officer, Equifax, Address to the Terry College of Business at the University of
Georgia (Aug. 17, 2017), https://www.youtube.com/watch?v=lZzqUnQg-Us.
2
the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not
patch the Apache Struts software located within ACIS, leaving its systems and data exposed.
On May 13, 2017, attackers began a cyberattack on Equifax. The attack lasted for 76
days. The attackers dropped “web shells” (a web-based backdoor) to obtain remote control over
Equifax’s network. They found a file containing unencrypted credentials (usernames and
passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The
attackers were able to use these credentials to access 48 unrelated databases.
Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted
personally identifiable information (PII) data 265 times. The attackers transferred this data out of
the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration
because the device used to monitor ACIS network traffic had been inactive for 19 months due to
an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and
immediately noticed suspicious web traffic.
After updating the security certificate, Equifax employees identified suspicious traffic
from an IP address originating in China. The suspicious traffic exiting the ACIS application
potentially contained image files related to consumer credit investigations. Equifax discovered it
was under active attack and immediately launched an incident response effort.
On July 30, Equifax identified several ACIS code vulnerabilities. Equifax noticed
additional suspicious traffic from a second IP address owned by a German ISP, but leased to a
Chinese provider. These red flags caused Equifax to shut down the ACIS web portal for
emergency maintenance. The cyberattack concluded when ACIS was taken offline.
On July 31, Chief Information Officer (CIO) David Webb informed Richard Smith of the
cyber incident. Equifax suspected the attackers exploited the Apache Struts vulnerability during
the data breach. On August 2, Equifax engaged the cybersecurity firm Mandiant to conduct an
extensive forensic investigation. Equifax also contacted outside counsel and the Federal Bureau
of Investigation to alert them to the cyber incident.
By late August 2017, Mandiant confirmed attackers accessed a significant volume of
consumer PII. Equifax launched an effort to prepare for public notice of the breach. As part of
this effort, Equifax created a website for individuals to find out whether they were affected by
the data breach and, if so, to register for credit monitoring and identity theft services. Equifax
also began efforts to stand up a call center capability staffed by 1,500 temporary employees. On
September 4, Equifax and Mandiant completed a list of 143 million consumers affected by the
data breach, a number that would later grow to 148 million.
When Equifax informed the public of the breach on September 7, the company was
unprepared to support the large number of affected consumers. The dedicated breach website and
call centers were immediately overwhelmed, and consumers were not able to obtain timely
information about whether they were affected and how they could obtain identity protection
services.
3
Equifax should have addressed at least two points of failure to mitigate, or even prevent,
this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT
management structure existed, leading to an execution gap between IT policy development and
operation. This also restricted the company’s implementation of other security initiatives in a
comprehensive and timely manner. As an example, Equifax had allowed over 300 security
certificates to expire, including 79 certificates for monitoring business critical domains.
Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a
complex IT environment. Equifax ran a number of its most critical IT applications on custombuilt legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made
IT security especially challenging. Equifax recognized the inherent security risks of operating
legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This
effort, however, came too late to prevent the breach.
Equifax held several officials accountable for the data breach. The CIO and Chief
Security Officer (CSO) both took early retirements on September 15, eight days after the public
announcement. Equifax’s CEO Richard Smith left the company on September 26. On October 2
Equifax terminated Graeme Payne, Senior Vice President and Chief Information Officer for
Global Corporate Platforms, for failing to forward an email regarding the Apache Struts
vulnerability. Payne, a highly-rated employee for seven years and a senior manager of nearly 400
people, managed a number of IT systems within Equifax, including ACIS. On October 3,
Richard Smith testified before Congress blaming human error and a failure to communicate the
need to apply a patch as underlying reasons for the breach.
Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company
taken action to address its observable security issues prior to this cyberattack, the data breach
could have been prevented.
4
Table of Contents
Executive Summary …………………………………………………………………………………………………….. 2
Commonly Used Names and Acronyms ………………………………………………………………………. 7
Timeline of Key Events………………………………………………………………………………………………… 8
I.
The Consumer Reporting Agency Business Model and Use of Personally
Identifiable Information ………………………………………………………………………………….. 13
A. Consumer Reporting Agency Business Model ………………………………………………………… 13
B. Equifax – Aggressive Growth and Increasing Risk in Data Intrusive Industry …………….. 15
1.
Equifax Corporate Profile …………………………………………………………………………………. 15
2.
CEO Richard Smith’s Growth Strategy ………………………………………………………………. 17
3.
“Massive Amounts” of Data Equals Massive Security Risks …………………………………. 18
4.
Key Equifax Officials Responsible for IT and Security ………………………………………… 19
II.
Regulations for Consumer Reporting Agencies ………………………………………………. 20
A. FTC and CFPB Authority over Consumer Reporting Agencies …………………………………. 20
1.
Federal Trade Commission Act………………………………………………………………………….. 20
2.
Dodd-Frank Act……………………………………………………………………………………………….. 21
3.
Fair Credit Reporting Act………………………………………………………………………………….. 22
4.
Gramm-Leach-Bliley Act ………………………………………………………………………………….. 23
B. Breach Notification and Disclosure Requirements …………………………………………………… 25
III.
Anatomy of the Equifax Data Breach ……………………………………………………………….. 27
A. Apache Struts Vulnerability Publicized, Equifax Attempts to Patch (Feb. – Mar. 2017) . 27
B. Attackers Breach Equifax and Remain Undetected for 76 Days (May – July 2017) …….. 31
C. Equifax Detects the Data Breach and Initiates Project Sierra (July – Aug. 2017)…………. 34
IV.
Equifax Notifies the Public of the Massive Data Breach ………………………………….. 40
A. Preparations for September 7, 2017 Public Notice …………………………………………………… 40
1.
Equifax Briefs Senior Leaders and Begins Forensic Investigation ………………………….. 40
2.
Equifax Launches Project Sparta and Prepares Call Centers ………………………………….. 42
B. September 2017 – Equifax Notifies the Public ………………………………………………………… 43
1.
September 7, 2017 – Equifax Publicly Announces the Data Breach ……………………….. 43
2.
Other Stakeholders React to Equifax Announcement ……………………………………………. 44
3.
Website and Call Centers Overwhelmed …………………………………………………………….. 45
4.
a.
EquifaxSecurity2017.com Issues …………………………………………………………………. 45
b.
Call Center Frustrations ……………………………………………………………………………… 48
Three Senior Equifax Officials “Retire” ……………………………………………………………… 48
5
C. October 2017 – Forensic Investigation Completed and Senior Equifax Employee Fired . 49
1.
October 2, 2017 – 2.5 Million More Victims Announced ……………………………………… 49
2.
Senior Equifax Employee Terminated for “Failing to Forward an Email”……………….. 50
D. Early 2018 – Victim Total Rises to 148 Million ………………………………………………………. 52
E. Mandiant’s Forensic Analysis Was Challenging ……………………………………………………… 54
V.
Specific Points of Failure: Equifax’s Information Technology and Security
Management …………………………………………………………………………………………………….. 55
A. Equifax IT Management Structure Lacked Accountability and Coordination ……………… 55
1.
IT Organizational Structure at the Time of the Breach ………………………………………….. 55
2.
Operational Effect of the Organizational Structure……………………………………………….. 58
3.
Equifax’s Organizational Structure Allowed Ineffective IT Coordination ……………….. 60
B. Equifax Had Serious Gaps between IT Policy Development and Execution ……………….. 62
1.
2.
Equifax’s Patch Management Process ………………………………………………………………… 63
a.
Patching Process Failed Following March 9, 2017 Apache Struts Alert ……………. 64
b.
Equifax Was Aware of Issues with the Patching Process ………………………………… 68
Equifax’s Certificate Management Process …………………………………………………………. 70
C. Equifax Ran Business Critical Systems on Legacy IT with Documented Security Risks . 71
VI.
1.
Equifax’s Company Expansion Created Highly Complex IT Infrastructure …………….. 71
2.
Composition of the Legacy ACIS Environment …………………………………………………… 72
3.
Equifax Did Not Know What Software Was Used Within Its Legacy Environments … 74
4.
Security Concerns Specific to the ACIS Legacy Environment……………………………….. 75
5.
Modernization Efforts Underway at the Time of the Breach ………………………………….. 81
Equifax Remediation Efforts ……………………………………………………………………………. 85
A. Mandiant’s Remedial Recommendations ……………………………………………………………….. 85
B. 2018 Consent Order with State Regulatory Agencies……………………………………………….. 87
C. GAO Findings …………………………………………………………………………………………………….. 88
D. Remediation Steps Reported to SEC………………………………………………………………………. 90
E. Equifax’s Updated Approach to Cybersecurity ……………………………………………………….. 90
F. Equifax Officials on Remediation………………………………………………………………………….. 92
VII.
Recommendations …………………………………………………………………………………………… 94
6
Commonly Used Names and Acronyms
Chief Executive Officer
Mark Begor, April 2018 – present
Paulino do Rego Barros Jr., Interim, September 2017 – March 2018
Richard Smith, December 2005 – September 2017
Chief Information Officer
(now known as Chief Technology Officer)
Bryson Koehler, June 2018 – present
David Webb, January 2010 – September 2017
Robert Webb, November 2004 – July 2009
Chief Security Officer
(now known as Chief Information Security Officer)
Jamil Farshchi, February 2018 – present
Russ Ayres, Deputy, February 2018 – present
Interim, September 2017 – February 2018
Susan Mauldin, August 2013 – September 2017
Tony Spinelli, September 2005 – March 2013
Senior Equifax Officials
John J. Kelley, Chief Legal Officer, January 2013 – present
Graeme Payne, Senior Vice President and Chief Information Officer for Global Corporate
Platforms, March 2011 – October 2017
ACIS
CFBP
CIO
CRA
CSO
FCRA
FTC
GLBA
GTVM
NIST
PII
SEC
SSL
US-CERT
Automated Consumer Interview System
Consumer Financial Protection Bureau
Chief Information Officer
Consumer Reporting Agency
Chief Security Officer
Fair Credit Reporting Act
U.S. Federal Trade Commission
Gramm-Leach-Bliley Act
Global Threat and Vulnerability Management
National Institute of Standards and Technology
Personally Identifiable Information
U.S. Securities and Exchange Commission
Secure Sockets Layer
U.S. Computer Emergency Readiness Team
7
Timeline of Key Events
March 7, 2017
?
Apache Struts Project Management Committee announces the CVE-2017-5638
vulnerability affecting Apache Struts and releases the patch.3
March 8, 2017
?
The United States Computer Emergency Readiness Team (US-CERT) sends Equifax an
alert to patch the particular vulnerability in Apache Struts software.4
March 9, 2017
?
Equifax’s Global Threat and Vulnerability Management (GTVM) team disseminates USCERT notification internally by email requesting responsible personnel apply the critical
patch within 48 hours.5
March 10, 2017
?
First evidence of attackers exploiting the Apache Struts vulnerability on servers
connected to the Equifax network.6
March 15, 2017
?
Equifax’s Security team runs scans to identify any systems containing the Apache Struts
vulnerability. The scans did not detect the vulnerability on any externally facing systems.7
3
Apache Software Foundation, Response From The Apache Software Foundation to Questions from US House
Committee on Energy and Commerce Regarding Equifax Data Breach, APACHE SOFTWARE FOUNDATION BLOG
(Oct. 3, 2017), https://blogs.apache.org/foundation/entry/responses-to-questions-from-us.
4
Email from U.S. Computer Emergency Readiness Team, to GTVM, Equifax (Mar. 8, 2017, 7:31:16 PM) (on file
with Committee, EFXCONG-SSTOGR000000060).
5
Email from GTVM, Equifax, to GTVM Alerts, Equifax (Mar. 9, 2017, 9:31:48 AM) (on file with Committee,
EFXCONG-SSTOGR000000508).
6
Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff
(Aug. 17, 2018).
7
Email from Berlene Herren, Vice President Cyber Threat Resistance, Equifax, to Jamie Fike, Workforce Solutions,
Equifax (Mar. 15, 2017, 1:56:38 PM) (on file with Committee, EFXCONG-SSTOGR000000510); see also
Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital
Commerce & Consumer Prot. of the H. Comm. on Energy & Commerce, 115th Cong. (2017) (prepared written
statement of Richard Smith, Former Chief Exec. Officer, Equifax).
8
May 13, 2017
?
Attackers enter the Equifax network through the Apache Struts vulnerability located
within the Automated Consumer Interview System (ACIS) application and drop web
shells onto the Equifax system.8
May 13, 2017 – July 30, 2017
?
Timeframe during which hackers gained unauthorized access to Equifax databases
through an Equifax legacy environment.9 Attackers perform approximately 9,000 queries
to sensitive databases within Equifax system.10
July 29, 2017
?
Equifax renews the expired security certificate for the device monitoring ACIS network
traffic. The certificate was expired for 19 mont…
Purchase answer to see full
attachment