"The attackers gained access to a database that contained unencrypted credentials for accessing additional databases, such as usernames and passwords," GAO says. Problem 4: Poor Data GovernanceĮquifax was storing access credentials used by its administrators in an unencrypted format, when proper practice would have been to only store such information in a secure form, preferably with access restricted using multifactor authentication. "The lack of segmentation allowed the attackers to gain access to additional databases containing PII, and, in addition to an expired certificate, allowed the attackers to successfully remove large amounts of PII without triggering an alarm," GAO says. "As a result, during that period, the attacker was able to run commands and remove stolen data over an encrypted connection without detection." Problem 3: No SegmentationĮquifax said it had failed to isolate its databases on different network segments (see Solve Old Security Problems First).Īs a result, once the attackers breached Equifax's network, they were able to reach dozens of other databases. "The certificate had expired about 10 months before the breach occurred, meaning that encrypted traffic was not being inspected throughout that period," GAO says. Problem 2: Poor DetectionĮquifax had a security device that allowed it to inspect network traffic, but it wasn't working because a digital certificate it required had expired. "However, the recipient list for the notice was out of date and, as a result, the notice was not received by the individuals who would have been responsible for installing the necessary patch," GAO says (see Equifax Ex-CEO Blames One Employee For Patch Failures).Įquifax has also said that a routine scan conducted a week later, which searched for known vulnerabilities inside its network, had failed to flag the flaw in the Struts implementation that ran its online dispute portal (see Equifax's Colossal Error: Not Patching Apache Struts Flaw). Equifax says it circulated this notice to its systems administrators. Computer Emergency Readiness Team in March 2017 issued an alert that all Apache Struts implementations should be immediately patched. Instead, the independent, nonpartisan agency that conducts investigations for Congress says it analyzed documentation about the breach and also interviewed individuals at Equifax's three largest federal customers: the Internal Revenue Service, the Social Security Administration and the United States Postal Service. "We did not independently assess Equifax's information security controls or the steps the company took to address identified factors that contributed to the ineffective implementation of those controls," GAO says. GAO says it conducted the review "to report on actions taken by Equifax and agencies in response to the breach" at the request of four lawmakers: Sen. If properly handled, any one of those areas might have enabled Equifax to have more quickly identified and contained the intrusion that led to the breach. The GAO report identifies five key factors that contributed to the breach: identification, detection, segmentation and data governance, as well as a failure to rate-limit database requests. residents were exposed, putting 860,000 British consumers at risk, and said that 8,000 Canadian residents' personal details were also exposed. The credit bureau has also said that 15.2 million records pertaining to U.K. Government Accountability Office, titled "Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach," provides new details into how the breach occurred and what Equifax could have done to have helped prevent or more rapidly mitigate it, centering on failures involving detection, segmentation and data governance (see Building an Effective Enterprisewide Security Program).Įquifax's latest count of breach victims includes at least 145.5 million U.S. See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pmĪ newly released report on the Equifax breach from the U.S. That's the short takeaway from the devastating data breach that swamped credit bureau Equifax last year.
0 Comments
Leave a Reply. |