The former CEO of Equifax answered questions regarding the Equifax breach impact and causes, but experts were not satisfied by the answers.
On Monday, the credit bureau admitted that an additional 2.5 million Americans may have been affected in the Equifax breach, bringing the current estimate of affected citizens to 145.5 million. On Tuesday, Richard Smith, the former CEO of Equifax, testified in congressional hearings regarding the Equifax breach impact.
Smith began by taking responsibility for the breach, saying in a written statement that he "was ultimately responsible for what happened on [his] watch."
"To each and every person affected by this breach, I am deeply sorry that this occurred. Whether your personal identifying information was compromised, or you have had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize," Smith wrote in his prepared testimony. "The company failed to prevent sensitive information from falling into the hands of wrongdoers. The people affected by this are not numbers in a database. They are my friends, my family, members of my church, the members of my community, my neighbors. This breach has impacted all of them. It has impacted all of us."
Smith went on to detail the timeline of events leading up to the Equifax breach. He said Equifax received an alert from US-CERT on March 8, 2017 regarding the Apache Struts vulnerability that needed to be patched and the company shared that message internally on March 9. However, the software was not patched.
Ben JohnsonCTO, Obsidian Security
Smith claimed the Equifax security team ran vulnerability scans on March 15 "that should have identified any systems that were vulnerable to the Apache Struts issue," but the scans failed to identify the systems needing patching. Although by then, it was too late as Smith said the initial attack accessing data occurred on March 13.
The Equifax breach was not detected by IT teams until July 30 and Smith said he was told about the incident on July 31. The investigation into the Equifax breach impact began Aug. 2, but Smith said he was not made aware that personally identifiable information (PII) had been stolen until Aug. 15. The board was notified on Aug. 22 and the breach was finally made public on Sept. 7.
"A substantial complication was that the information stolen from Equifax had been stored in various data tables, so tracing the records back to individual consumers, given the volume of records involved, was extremely time consuming and difficult. To facilitate the forensic effort, I approved the use by the investigative team of additional computer resources that significantly reduced the time to analyze the data," Smith wrote in the statement. "By September 4, the investigative team had created a list of approximately 143 million consumers whose personal information we believed had been stolen."
Equifax breach timeline
Ben Johnson, CTO of Obsidian Security, said that timelines, like those detailing the Equifax breach impact, can be tricky, but he questioned Smith's readiness for such an attack.
"If you race to disclosure, you'll likely be wildly off in stating the impact. If you take too long, then there's the question of why couldn't you have disclosed this sooner to help the affected parties," Johnson told SearchSecurity. "The most striking aspect here is the lack of daily updates as soon as the investigation started -- that shows lack of respect for adversary abilities and very little concern for the sensitivity of the data. It appears Smith was completely out of his league when it comes to asking the right questions around cyber risk and breach."
Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers, said the timeline was plausible, but found it odd that there was a two-day delay between Smith learning of the breach and the investigation beginning.
"This is a lapse in judgment," Rembiesa told SearchSecurity. "Should proper industry best practices have been followed, the CEO would have been informed and the investigation would have been launched on July 30, saving an untold amount of consumer data because the breach would have been closed sooner."
Equifax breach impact response
Gary Golomb, co-founder at Awake Security, took issue with Smith's claim that Equifax policy is to patch a vulnerability in two days.
"This may have been the policy, but it's not grounded in the reality of what it takes to patch a vulnerability. It is nearly physically impossible to patch a vulnerability, test it in an environment to make sure things are working and update and get it ready for public use," Golomb told SearchSecurity. "It's not like you drop a file and it's done. In this case, it would require a recompiling of code and redeployment. No realistic DevOps or security team would expect this to be rebuilt in a few days."
Experts also noted a number of issues with Equifax relying on vulnerability scans to find issues. Johnson and others said it was very possible that the scanner might not have been updated properly.
Sanjay Raja, CMO at Lumeta, noted the failure of the vulnerability scan could have also been a visibility problem.
"Vulnerability scanners do not discover or identify all of your infrastructure," Raja told SearchSecurity. "That means even if scans were run successfully, in our research, on average 40% of servers and systems are not scanned because they are not part of the asset list."
Billy Sokol, global CTO of public sector at MarkLogic Corporation, said the vulnerability scan was "almost irrelevant" in regard to the Equifax breach impact.
"If they had updated the Struts capability, that could have helped, but there wouldn't have been [more than] 140 million affected if the database was secure, if the data was encrypted, if there was no super user and more granularity security around data," Sokol told SearchSecurity. "If you require that everything work perfectly in order for your data to be protected, you're asking for a breach. Not everything works perfectly all the time and people do make mistakes. Your data needs to be protected even when hackers get in."
Nicholas Hayden, director of engineering at Anomali, said it was time to shift the focus from the Equifax breach impact and cause to "what lawmakers are going to do to fix the issue."
"The punishment doesn't match the crime when it comes to data breaches," Hayden told SearchSecurity. "A company that fails to be good stewards of the critical and vital information they are entrusted with should not be allowed to continue the practice."
Learn how to use data encryption tools and techniques effectively.
Find out how the Equifax breach highlights the importance of GDPR preparation.
Get info on how vulnerability scanning can help with PCI DSS compliance.