cageymaru
Fully [H]
- Joined
- Apr 10, 2003
- Messages
- 22,086
In a Senate report, Equifax is accused of neglecting its own cybersecurity policies which ultimately led to the 2017 data breach that exposed personally identifiable information (PII) of 145 million Americans . The company's key Senior Managers didn't attend cybersecurity meetings and an audit identified a backlog of over 8,500 known vulnerabilities in its network. Over 1,000 of these were considered critical, high, or medium risks that were found on systems that could be accessed by individuals from outside of Equifax's information technology ("IT") networks.
The company instituted an "honor system" for patching its systems and didn't abide by its own patching policy that required the company's IT department to patch critical vulnerabilities within 48 hours. Equifax wasn't even sure of the network assets that it owned, so it was impossible for Equifax to know if vulnerabilities existed on its networks. When threats were announced by the U.S. government with the highest critical score possible; the company's security scans failed to identify the vulnerability. This is because the company lacked a comprehensive inventory of its IT assets. Equifax also allowed its SSL certificates to expire 8 months prior to the 2017 data breach which allowed hackers access to the network for 78 days undetected. Equifax waited six weeks before notifying the public of the breach.
Equifax's online dispute portal, the hackers also accessed other Equifax databases as they searched for other systems containing PII. They eventually found a data repository that also contained unencrypted usernames and passwords that allowed the hackers to access additional Equifax databases. The information accessed primarily included names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license and credit card numbers.
The usernames and passwords the hackers found were saved on a file share by Equifax employees. Equifax told the Subcommittee that it decided to structure its networks this way due to its effort to support efficient business operations rather than security protocols. In addition, Equifax did not have basic tools in place to detect and identify changes to files, a protection which would have generated real-time alerts and detected the unauthorized changes the hackers were making.
The company instituted an "honor system" for patching its systems and didn't abide by its own patching policy that required the company's IT department to patch critical vulnerabilities within 48 hours. Equifax wasn't even sure of the network assets that it owned, so it was impossible for Equifax to know if vulnerabilities existed on its networks. When threats were announced by the U.S. government with the highest critical score possible; the company's security scans failed to identify the vulnerability. This is because the company lacked a comprehensive inventory of its IT assets. Equifax also allowed its SSL certificates to expire 8 months prior to the 2017 data breach which allowed hackers access to the network for 78 days undetected. Equifax waited six weeks before notifying the public of the breach.
Equifax's online dispute portal, the hackers also accessed other Equifax databases as they searched for other systems containing PII. They eventually found a data repository that also contained unencrypted usernames and passwords that allowed the hackers to access additional Equifax databases. The information accessed primarily included names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license and credit card numbers.
The usernames and passwords the hackers found were saved on a file share by Equifax employees. Equifax told the Subcommittee that it decided to structure its networks this way due to its effort to support efficient business operations rather than security protocols. In addition, Equifax did not have basic tools in place to detect and identify changes to files, a protection which would have generated real-time alerts and detected the unauthorized changes the hackers were making.