Former Equifax Inc. CEO Richard Smith testified that the company's failure to implement a security patch led to the breach that compromised personally identifiable information of more than 145 million people,
The Verge reports. The breach, disclosed in September, could expose those individuals to risk of identity theft and other frauds. Appearing before the U.S. House Energy and Commerce Committee, Smith acknowledged that the credit bureau had learned of the vulnerability in the Apache Struts web application software in March. Under questioning, Smith said the person responsible for communicating about security patches failed to do so in this instance and a security scan had not detected the vulnerability. Smith resigned following the incident, along with Equifax's chief information and security officers. The company is under investigation by the Federal Trade Commission and Department of Justice.
Many articles have covered the recent attack on Equifax, which compromised names, birth dates, and Social Security numbers, among other sensitive data. As one of the largest information security breaches in U.S. history, there is much internal auditors can learn to help regulators, companies, and individuals potentially avoid such harm in the future.
Never rely on a single process or individual to implement a key anti-hacking measure. Equifax's former CEO testified that in March, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (U.S. CERT) notified Equifax and other companies of the need to patch a vulnerability in certain versions of Apache Struts. Equifax uses the software in its online disputes portal, a website where consumers can dispute items on their credit reports. Equifax's patching policy required patching to occur within a 48-hour time period. However, one employee was responsible for identifying the need to implement the patch and communicating that need to other applicable areas and staff within Equifax. Neither of those things happened. Just as there is a need for segregation of duties in financial controls, there should be parallel authority and processes in place to avoid such a lapse in information security controls.
Security systems must be continuously updated and checked repeatedly for all potentially vulnerable systems and access points. Two weeks after Equifax received notice to patch its vulnerable software, its information security staff ran scans that should have identified any systems that were vulnerable to the Apache Struts issue, but the scans did not identify a problem. Hackers continually evolve their attack methods, and often that leaves internal security systems behind, meaning a threat will go undetected. Furthermore, the hackers accessed sensitive information for more than two months before Equifax's security controls detected the breach.
These factors add another dimension to the need for specific security controls around the most sensitive information kept by companies. In this case, once hackers had gained access to Equifax's online dispute portal, they were able to access a database table containing the personal information of millions of people. There are no longer just traditional methods for anticipating these kinds of threats. For example, companies should be actively monitoring social media and the Dark Web to detect new trends and activities in threats such as hacking. Following the U.S. CERT request promptly would have been a more effective action.
If the organization has been hacked — recover! On this point, Equifax seems to have done a somewhat better job once the security breach was detected, shutting down its consumer dispute website after suspicious network traffic was observed. And, following company policy, it retained a cybersecurity group to guide the investigation and provide legal and regulatory advice, engaged an independent cybersecurity forensic consulting firm to investigate the suspicious activity, and contacted the Federal Bureau of Investigation. The company made extensive efforts to analyze forensic data to identify and understand the unauthorized activity on the network. These efforts helped Equifax figure out what happened, what parts of its network were affected, how many consumers were affected, and what types of information was accessed or potentially acquired by the hackers.
Don't wait until the organization has the perfect plan to communicate to its customers and stakeholders. It took Equifax several weeks to create a list of consumers whose personal information had been stolen before it publicly announced that the breach had occurred. While it's positive that this included the rollout of a comprehensive support package for consumers, the delay created considerable public anger and misunderstanding. That outcry may have contributed to government scrutiny and the eventual resignation of Equifax's CEO.