In the past three years credit rating company Equifax spent some US$250 million on cyber security, including protecting consumer data held in its files by encrypting data at rest and in motion, tokenization and data masking,
However, the recent stolen data at rest in the company’s consumer dispute portal — where consumers could upload information, such as a photo of a contested utility bill — wasn’t encrypted, former CEO Richard Smith testified Tuesday before a U.S. Congressional hearing. Some data in that dispute portal has to be held for at least seven years, Smith testified.
That was the data pool hacked over the summer through an unpatched Apache Struts vulnerability, resulting in the theft of data on over 145 million people, mainly Americans, but also 8,000 Canadians and 100,000 in the U.K.
UPDATE: Equifax said in late October that in addition to data such as Social Insurance numbers on 8,000 Canadians that was exposed, credit card numbers of another 11,670 Canadians was also exposed, bringing the total number affected here to over 19,000.
Smith didn’t explain why the data gathered by the consumer dispute portal wasn’t encrypted.
He emphasized that data held in what he called Equifax’s core consumer and commercial reporting databases wasn’t hacked.
Smith, who retired from the company last month shortly after admitting to the breach and the mis-handling of Equifax’s response, took the heat. “I’m responsible,” he told the House of Representatives’ Energy and Commerce committee. “It was under my watch. I apologize.”
Smith also added more light to what happened, saying the breach was the combined result of human and technological errors.
On March 8 the Department of Homeland Security’s Computer Emergency Response Team warned U.S. organizations of the need to patch a vulnerability in the Apache Struts framework used for creating Web pages. The dispute portal is the only place where Equifax uses the software. The next day Equifax’s security team was notified by email. Company policy is that patches are to be installed within 48 hours. But, Smith said, due to “human error” by an unnamed person, the patch wasn’t applied.
On March 15 Equifax ran a scan of its systems which should have discovered the patch hadn’t been applied. It didn’t, which Smith described as a “logical error”
“Based on the investigation to date, it appears that the first date the attacker(s) accessed sensitive information may have been on May 13, 2017,” Smith said. “The company was not aware of that access at the time. Between May 13 and July 30, there is evidence to suggest that the attacker(s) continued to access sensitive information, exploiting the same Apache Struts vulnerability. During that time, Equifax’s security tools did not detect this illegal access.”
It was only on July 29 that a “decryptor” detected suspicious traffic. That traffic was blocked and the site shut the next day. Smith was notified July 31 of the incident, but it wasn’t until Aug 15 — after forensic investigation — that he was told there had been data exposed.
“When I came to the company 12 years ago we had virtually no focus on cyber security,” Smith testified. Now the company has “a team of over 225 professionals focussing each and every day on security around the world.”
“We made substantial investments over that time frame. In the last three years alone we made investments approaching a quarter of a billion dollars in security.”
But, a Congressman quickly pointed out, the vulnerability was pointed out days before the intrusion occurred. “How could 225 professionals you hired for that purpose let a breach like that happen.”
Although there was a patching process there was a “a human error,” Smith replied, “where an individual did not ensure communication got to the right person to manually patch the application. That was subsequently followed by a logical error, where a piece of equipment we use scans the environment looking for that vulnerability and did not find it.”
“I describe it as a human error and a technology error.”
Members of Congress who questioned Smith didn’t hide their anger, with one calling the hack and the company’s response to victims “a travesty,” and a Texan saying “it isn’t clear to me why Equifax … should be allowed to continue operating when they have failed spectacularly at their core business and endangered the public.” One Oklahoma representative castigated Smith, saying the company “took a long, time to stand up” and warn the public of the breach. It had response procedures and “you should have been able to react much much sooner.” A California rep said “we expect better … you let us all down… this could have been and likely should have been prevented.”
An Illinois representative said it is “ludicrous” to think those whose personal information was exposed won’t be harmed.
One Texas congressman suggested to Smith that companies would be more sensitive to cyber threats if they had to pay a fine for every person whose data is exposed.
“It’s time at the federal level to put some teeth in this, and [have] some sort of per account payment,” when there’s a breach,” he said. “I don’t want to put credit bureaus out of business and all of that, but we could have this hearing every year from now on if we don’t change the current system.”
“Let’s figure out something to do that actually gives an incentive to the industry to protect ourselves, and the only way I know to do it is some fine per account hacked that’s large enough that even some company that’s worth US$13 billion [which is Equifax’s stock value] would rather protect the data — and probably not collect as much data — than have to come up here and say ‘We’re sorry.'”