Many security experts have reacted with incredulity to Equifax ex-CEO Richard Smith saying that a single employee's failure to heed a security alert led to the company failing to install a patch on a critical system, which was subsequently exploited by attackers. Smith's assertion also calls into question whether poor patch practices were the norm at Equifax, and it raises the prospect that the credit bureau's consumer data may have been tampered with, and it might not ever know.
The Equifax breach, which began March 10, resulted in the exposure of information pertaining to 145.5 million U.S. consumers, including names, Social Security numbers, birthdates, addresses and, in some cases, drivers' license numbers. Some payment cards for U.S. and Canadian consumers were also compromised, as was data relating to 400,000 British consumers and 8,000 Canadian consumers.
Testifying this week on Capitol Hill, Smith, who "retired" from Equifax on Sept. 26, blamed multiple "mistakes" for precipitating the conditions that allowed Equifax to be hacked. He said those mistakes included an unnamed individual on the security team failing to heed a security alert that should have led the company to patch the Apache Struts web application that hackers exploited.
"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith told the House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection on Tuesday (see Congress Grills Equifax Ex-CEO on Breach).
Policy: Apply Patches Within 48 Hours
"On March 9, Equifax disseminated the U.S. CERT notification internally by email, requesting that applicable personnel responsible for an Apache Struts installation upgrade their software," Smith told the committee. He noted that Equifax's security department policies state that all such security updates should be installed within 48 hours of such a notice being sent.
But the patch didn't happen, and apparently was never spotted, at least until Equifax clocked, in late July, that it had been hacked. "We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel," Smith said.
Compounding the problem, on March 15, scans run by Equifax's security team failed to flag the vulnerable Struts implementation. "The vulnerability remained in an Equifax web application much longer than it should have," Smith said. "It was this unpatched vulnerability that allowed hackers to access personal identifying information."
On Tuesday, Rep. Tim Murphy, R-Pa., asked during a hearing if Equifax's vulnerability scanning tools were misconfigured. "I have no knowledge of that," Smith replied.
Fail: Management 101
Many security experts have reacted to Smith's testimony by asking how it was possible that a business of this size, with an information security team that reportedly comprised 225 personnel, could have screwed up in such spectacular fashion.
"This doesn't sound right. I don't mean the validity of the 'single person' failure claim, I mean the fact this was possible in a $15bn corp.," says Stuart Winter-Tear, a British information security expert, via twitter.
In any other business sphere, Smith's claims would have made him a laughing stock, says Tokyo-based developer Patrick McKenzie (@patio11).
"The Equifax ex-CEO throwing an unnamed technician under the bus for the Equifax breach is positively maddening," McKenzie says via Twitter. "There is never a single person at fault for a poor engineering decision. That isn't me as an engineer talking; that is Management 101."
Business as Usual?
The missed Struts update may not be an outlier. Indeed, Equifax's Apache Struts patch failure also begs the question of how many other critical systems the credit bureau has failed to patch in a timely manner, if at all. Smith, however, didn't address this potential in his testimony to date, and lawmakers so far have not pressed him on it.
Another possible result of the Struts breach - and any other potential breaches that may not have been discovered - is that attackers could have not just stolen the data being stored by Equifax, but altered it.
That possibility led New York State's Department of Financial Services last month to instruct all firms that it regulates to validate all Equifax credit-report data before using it because it may have been tampered with (see Report: Equifax Subpoenaed by New York State Regulator).
"Confirm the validity of information contained in Equifax credit reports (if they receive them) before relying on them for provision of products and services to new applicants, as well as existing clients, as they may have been compromised given the cyberattack," DFS said in a Sept. 18 alert.
Was Data Manipulated?
On Tuesday, Rep. Fred Upton, R-Mich., asked Smith directly if attackers who had access to Equifax's data might have altered some of it. Upton also pointed to the credit report of a friend, obtained from Equifax, which runs 120 pages. The sheer quantity of data suggests that any manipulation might be very difficult to spot.
Smith appeared to brush off such concerns. Based on the breach investigation conducted by FireEye's incident response group Mandiant, he said, "there is no indication that the data left behind has been manipulated."
But that sounds like a careful hedge: Is there any indication that the data was not manipulated?
Perfect Storm, or Business as Usual?
One overriding post-breach question: Was the Equifax hack the result of a perfect storm of mistakes that had almost no chance of occurring, or have these types of security failures been the norm? Answers, together with the efficacy of Equifax's patch and vulnerability scanning practices, and its failure to have spotted attackers exfiltrating massive amounts of data for at least three months, need to come to light.
Given that the FBI has launched a criminal investigation into the breach, and the company is being probed by the Federal Trade Commission, the U.S. Securities and Exchange Commission, at least 40 state attorneys general and regulators in Britain and Canada, these details will likely become public knowledge at some point.
But for Equifax's more than 145 million products turned data breach victims, who now face a lifetime of increased risk from identity theft, any resulting lessons that the credit-bureau learns will arrive too late.