The massive Equifax data breach that impacted 148 million Americans in 2017 was the result of years of poor cybersecurity practices, a new Staff Report from the United States Senate’s Permanent Subcommittee on Investigations reveals. 

The U.S. credit reporting agency announced in September 2017 that it fell victim to a data breach that was later confirmed to have been the result of successful exploitation of a publicly disclosed Apache Struts vulnerability that the company had been warned about but failed to properly patch. 

The attack on Equifax started in May, but was only detected in July, despite thousands of queries sent by threat actors to the company’s databases during that time.

A December 2018 report from the House of Representatives’ Oversight and Government Reform Committee Republicans blasted the company for its poor security practices, and the new U.S. Senate report does that once again, while also providing some more details on Equifax’ failures regarding the incident. 

According to the report (PDF), Equifax was aware of security weaknesses in its systems for two years, but failed to properly address them. The critical vulnerability that led to the data breach was patched only months after being publicly reported. 

After implementing a Patch Management Policy in April 2015, the company conducted a full audit of its systems and discovered various deficiencies in its system controls, including a backlog of over 8,500 vulnerabilities with overdue patches, including more than 1,000 flaws in external-facing systems.

The audit also revealed issues in the company’s configuration and patch management procedures, such as the lack of timely patching, the lack of a comprehensive IT asset inventory, a reactive patching process, failure to verify the implementation of patches, and that the criticality of an asset wasn’t being taken into consideration when determining a patching schedule. 

Although Equifax committed to address these slow remediation efforts by implementing automated tools by the end of 2016, the company failed to do so, and the tools weren’t in place when the Apache Struts vulnerability was made public in March 2017 either. 

The report also found that the company did not perform a formal follow-up of the 2015 audit, and reveals that the company was still struggling to improve its patching management process in early 2017. At that time, the company’s vulnerability scanning was a “global process that was disconnected from the company’s regional patch management process,” the report reveals. 

Also underlined in the report is the fact that it was unclear whether IT was following patch and vulnerability management procedures, and that the company was told to implement a new scanning tool, which became active in June or July 2017, after the Apache Struts vulnerability became public.

“The tools to exploit the March 2017 Apache Struts vulnerability were publicly available and easy to use.  […] Equifax employees were unable to respond adequately due to a failure to implement basic cybersecurity standards, which prevented Equifax from complying with its own internal policies and procedures,” the report reads. 

Moreover, the company was unable to locate vulnerable assets in its inventory, meaning that it was unable to patch the critical flaw within 48 hours, as per its own policy. Although the company scanned its network, it did not discover the flaw in due time, as expired SSL certificates delayed its ability to detect the intrusion for months.

“Hackers successfully breached a web application running a vulnerable version of Apache Struts located on the Equifax network. When they did, they were able to access multiple data repositories due to Equifax’s decision not to implement certain cybersecurity protocols recommended in the NIST cybersecurity framework,” the report points out. 

The report also shows that Equifax failed to act adequately after discovering the data breach (for example, the company waited six weeks before informing the public that it discovered the security incident) and also failed to preserve a complete record of the events surrounding the breach (such as possibly relevant Lync communication between July 29 and September 15).

“While the Senate report highlights the value of periodic scanning for vulnerable open source components, that practice can easily let vulnerable components be deployed when an organization uses Agile development practices commonly referred to under the DevOps umbrella,” Tim Mackey, Senior Technical Evangelist, Synopsys, told SecurityWeek in an emailed comment.

“Instead of periodic scans, comprehensive inventories of open source dependencies should be created during development and when applications care deployed. Those dependencies should be fed into a continuous monitoring solution designed to identify when new security disclosures are published. When combined, such a solution allows for an accurate picture of the security exposure within a given application to be accurately measured in near real time. Armed with the knowledge of a vulnerable open source component and the origin of the component, an effective patch strategy can be created,” Mackey continued.