There is no silver bullet to entirely prevent data breaches like this but there are tools and data protection technologies that can ensure companies like Equifax are better prepared the next time this happens. What happened to Equifax could easily happen to any company. When it comes down to it, Equifax lacked a robust data security infrastructure, which opened the door to risk.Ĭredit reporting agencies, because of the large amount of sensitive personal data they process, should "have a heightened responsibility to protect consumer data by providing best-in-class data security," the report says, adding that all companies that hold sensitive consumer data, not just credit reporting agencies, need to implement modernized IT solutions.
Equifax breach update#
The report points out that Equifax knew so little about its legacy system that its patch management policy relied on employees to know the source and version of all software running on certain applications so they could update each manually. Equifax had it even harder by being forced to work on a complex legacy IT system, originally built in the 1970s, that made it difficult to scan, patch, and modify effectively. It’s a constant struggle for IT admins to block and tackle threats.
None of the PII contained in the datasets was encrypted at rest, according to one part of the report, which cites a Digital Guardian blog that explains the difference between data at rest and data in transit.īy the numbers, the Equifax story is huge but in many ways it’s the same old story. It wasn't until July 29, 2017, 76 days after the attack started, that the company updated the certificate and noticed the suspicious web traffic. The company would have been able to see the suspicious traffic to and from the ACIS platform much earlier–potentially mitigating or preventing the data breach," the report reads.Īfter exploiting the Struts vulnerability and securing access to the ACIS environment, attackers were able to run 9.000 queries, 265 that returned datasets containing personally identifiable information (PII). "Had Equifax implemented a certificate management process with defined roles and responsibilities, the SSL certificate on the device monitoring the ACIS platform would have been active when the intrusion began on May 13, 2017. The SSL certificate had been expired for 19 months, eliminating the company's ability to visualize the data being exfiltrated from the environment. The report also makes it sound as if Equifax's Achilles' heel was failing to update a security certificate for its SSL Visibility (SSLV) appliance, a device used to monitor network traffic leaving ACIS, its Automated Consumer Interview System. In fact it makes light of the fact the company knew there were deficiences with the process and actions were needed to make it effective Equifax just failed to "establish a mechanism to ensure accountability and compliance." The report doesn't downplay the issues around Equifax's patching process. But per the House Committee, the company also failed to renew 324 security certificates, including 79 that were used to monitor business critical domains. Yes, Equifax failed to patch a critical vulnerability in Apache Struts, something that left its systems exposed for 145 days.
Equifax breach license#
Among the data exposed were individuals' names, dates of birth, Social Security numbers, address information, gender, phone number, driver’s license numbers, email addresses, payment card numbers and expiration dates, TaxID, and driver’s license states.Īccording to the 96-page report, the company’s IT systems had countless shortcomings. history, leaking the sensitive data of 148 million consumers, not just in the U.S. The data breach, which the report says could have been prevented, was one of the largest in U.S. A government report released this week says a culture of cybersecurity complacency at Equifax, compounded by a lack of visibility into its complex legacy IT environments, led to last year's breach.Ī sobering House Oversight Committee report released this week has helped illustrate just how out of date systems at Equifax, the consumer credit reporting agency that was breached last year, were.
0 kommentar(er)
