This summer, a breach at the credit bureau Equifax compromised Social Security numbers and other sensitive data on more than 145 million people. Since then, experts have been puzzling over how the company allowed it to happen. The attackers seem to have broken into the system by exploiting a public vulnerability in Apache’s Struts software, but by the time the compromise occurred, a patch for that vulnerability had been available for months. So why didn’t Equifax deploy the patch?
Speaking to the House Energy and Commerce Committee, former Equifax CEO Richard Smith gave the most detailed answer to that question we’ve heard so far. According to him, the team internally discussed the Struts vulnerability when it was first announced by CERT on March 8th.
The protocol is to deploy a patch internally and then scan the system for any lingering vulnerability. In theory, it’s a two-part process that should ensure no disclosed vulnerability is allowed to persist in the system — but according to Smith, neither half of the process worked.
“Both the human deployment of the patch and the scanning deployment did not work,” Smith told Congress. “The protocol was followed.”
He went into more detail in his written testimony, saying that the CERT notification was distributed internally the day after it was published, but no one in the IT department seems to have recognized its significance. “We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification,” Smith wrote.
Smith blamed the initial failure to patch on a specific individual, who he declined to name. “The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not,” Smith said in the hearing.
“So does that mean that that individual knew the software was there,” Rep. Greg Walden replied, “and it needed to be patched, and did not communicate that to the team that did the patching?”
“That is my understanding, sir,” Smith said.
The company is still investigating why the subsequent scan did not detect the vulnerability, but written testimony indicates it took place the following week, on March 15th.
Smith stepped down as CEO of Equifax last week, and the company’s chief information officer and chief security officer have also stepped down. The Federal Trade Commission is currently investigating the breach as a violation of fair business practices, and the Department of Justice has opened a probe into whether Equifax executives committed insider trading by selling company stock before the breach became public.
Still, the hearing revealed significant frustration from members of Congress at the lack of financial consequences for the company. “Under current law, you’re required to alert those whose account has been hacked, but there’s basically no penalty,” Rep. Joe Barton (R-TX) told Smith. “We’re going to have this hearing every year from now on if we don’t do something to change this system.”
Comments
He was the CEO, he sets the company culture. Assuming it is true what he says: If that person didn’t communicate things it is probably because security isn’t taken seriously at the company for him to do whatever it takes to communicate that message to whoever with high priority and ensuring that all systems are always fully updated and secured.
No matter your company, even if you are selling muffins and coffee, security should always be top priority, always taken seriously, and always ensuring that everything is fully updated/patched. If you carry any sort of customer information, it is your responsibility to keep it safe. That is my opinion.
By GBytes on 10.03.17 1:13pm
I just hope that this unfaithful event will wake up businesses, and ensure to invest in security, and push a culture of prioritizing security.
By GBytes on 10.03.17 1:15pm
If your security depends on a single person you are doing it wrong.
By memebag on 10.03.17 1:26pm
Redundancy, redundancy, redundancy! Why is it so hard to hammer this home to certain decision makers?
By axellink on 10.03.17 1:41pm
The perfect question to ask the CEO.
By SemiColon 1 on 10.03.17 2:07pm
I don’t think it’s dependent on a single person, since there would have been a scan that also did not show the vulnerability.
The issue was with human beings executing processes. If the process is thought-out but the people executed poorly, you would still have this result regardless.
By omo on 10.03.17 2:52pm
Critical processes shouldn’t be disrupted by single points of failure.
By 4ndrew on 10.03.17 3:16pm
I love how anything that goes right in a company, it’s all because of the CEO and the culture he instills. When something goes wrong it’s "Bob screwed up, I have no idea what happens in day to day activities."
By Mike_dt on 10.03.17 2:03pm
I hereby gift this sacrificial lamb to the gods through the blood ceremony so to absolve myself of any responsibility
By D DT on 10.03.17 6:26pm
A company that size. In order to install or make a change you have to:
Show a plan to install
Have access rights to install
Show that you have tested in Test/Dev, QA
Check with the Change Control Board to install in Production
Get sign off
Get a date and confirm with other groups an OK to install
Fill out a post production form on status
There is no "one guy failed…"
By tribexx on 10.03.17 10:47pm