Professionalism/The Equifax Data Leak

Introduction
Equifax is based in Atlanta, Georgia and was founded in 1899 as Retail Credit Company. Equifax is one of the three major credit agencies along with Experian and TransUnion. Specifically, they sell credit monitoring and fraud-prevention services to consumers. Equifax is one of several large CRAs in the United States that gathers consumer data, analyzes it to create credit scores and detailed reports, and then sells the reports to third parties. Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt out of this information collection process. Though CRAs provide a service in facilitating information sharing for financial transactions, they do so by amassing large amounts of sensitive personal data—a high-value target for cyber criminals. Consequently, CRAs have a heightened responsibility to protect consumer data by providing best-in-class data security.

In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks. In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing “almost 1,200 times” the amount of data held in the Library of Congress every day. Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.

Data Breach
The Equifax data breach initially affected 143 million Americans whose data was stolen. This number was later revised to 146.6 million, which constituted 44 percent of U.S. population. Stolen information ranged from full names and date of births to social security numbers and driver licenses' information. A survey conducted by CreditCards.com found that "twenty percent of all respondents have heard little or nothing about the Equifax breach, including 46 percent of those aged 18-37" and that 50 percent of surveyed adults did not check their credit scores and reports after the breach.

History of mistakes
On 28 October 2015, Equifax’s cybersecurity division reported findings of an audit into their security practices and infrastructure. Equifax had failed to address over 7,500 known critical vulnerabilities on their internal systems, contrary to their policy of addressing critical issues within a 48-hour window. Second, Equifax did not maintain a comprehensive inventory of their IT asset; they were unaware of exactly what software was in use on computers throughout their infrastructure. Finally, Equifax was not proactive in applying and verifying the patching of vulnerabilities. Software patches were only applied to systems when teams were made aware of specific threats.

Data breach timeline
On 8 March 2017, the Department of Homeland Security informed Equifax of this critical vulnerability. On 9 March 2017, a few days after Apache releases information about its Struts vulnerability and its patch, Equifax launches an internal email to its administrators to apply this software patch on any vulnerable systems. In a 400-person email distribution list, employees were informed of this vulnerability, but this email chain excluded the developer aware of Equifax's usage of Apache Struts. The email chain contained the developer's manager, who failed to alert the team or the developer. Equifax CEO, Richard Smith, stated that this unidentified manager was ultimately responsible for the data leak because he did not inform the correct developer to patch the vulnerability.

On 15 March, Equifax information security department ran a systemwide scan but did not find any initial vulnerabilities that used Apache Struts or needed immediate patching. However, this initial scan missed the Automated Customer Interview System that implemented Apache Struts. Equifax’s Global Threats and Vulnerability Management mentioned Apache Strut vulnerability twice in a presentation and held monthly meetings to discuss cyber threats and vulnerabilities, but senior managers did not routinely attend these meetings and follow-up was limited.

Starting on 13 May 2017 and lasting until 30 July 2017, hackers obtained access to 48 unrelated databases through this vulnerability, querying 9,000 results for other administrative login credentials. The hacks ended on July 30 when Equifax shutdown the vulnerable web portal after seeing “suspicious traffic”. On July 31, the Chief Information Officer informed the Chief Executive Officer of the cyber incident.

Backend technology behind Equifax leak
Apache Struts is an open source framework designed for web application development in Java. It has popularized usage in many banking platforms, including Equifax. However, Apache Struts had some fundamental vulnerabilities, especially with using object-graph navigation language. Using this exploitation, hackers could stop firewalls protecting the servers and download and execute any malware they want onto said server. This would give hackers complete control of the web servers.

On 6 March 2017, Apache had identified and released a patch for their Apache Struts software, aimed at fixing a vulnerability in their website creation software that would allow a user to disable firewalls and install software on company’s server. After companies were notified of the vulnerability, it became their responsibility to update their current systems to include the patch software.

Equifax's Automated Consumer Interview System (ACIS) was the main point of attack for the hackers. It was a consumer dispute portal developed in the 1970s using Apache Struts that still contained the vulnerability. From this entry point, the attackers were able to run system-level commands to find and query 3 databases connected to the portal that contained sensitive login credentials. These credentials were in turn used to expand their access to the additional 48 databases unrelated to the complaint portal.

Throughout the attack, perpetrators made use of the system's encrypted communication channels to disguise their queries as normal network traffic and avoid detection. Over several weeks, millions of Americans' personal data was extracted in small increments until the suspicious activity was finally detected.

Aftermath and attacker identity
Once the breach was announced, Americans expected it was only a matter of time before a surge of identity theft occurred, but this never actually happened. Up to the present day, the stolen data still has not been located or utilized, despite extensive searches of the dark web by data hunting experts. In many breaches, stolen data is posted for sale before the company or consumers are made aware of the theft. This way, exposed data can be utilized before victims are able to take protective measures, but this likely wasn't the goal of the Equifax hackers.

While the exact perpetrators and motivations for the breach have yet to be proven, it's widely accepted that the breach may have been a Chinese state-sponsored espionage endeavor. This theory is popular due to numerous pieces of evidence in the attack. First, the initial breach and subsequent theft were performed by different parties. The initial access was likely done by an amateur hacker, and later more experienced hackers returned to expand their reach within the system and set up numerous backdoor entry points. This suggests the information was passed off to a bigger agency, perhaps a government. It was also determined that many of the tools used in the breach originated from China. However, there is not sufficient evidence to determine that this was the true cause, or that China was responsible rather than another nation-state.

Damaged Reputation
In a survey conducted a year after the data breach, approximately 46 percent of the respondents believed that Equifax should no longer serve as a credit bureau. The results of this survey show how negative sentiment can be long-lasting. To remedy the issue, Equifax offered free credit monitoring or cash payment, reimbursements based on time and money spent protecting your identity, and free identity restoration services. Despite the benefits Equifax offered, many consumers have lost faith in Equifax protecting user’s data with some consumers claiming they have “PTSD from the initial breach and do not in any way trust Equifax to handle this properly” and others stating that hackers “have access to my info in the dark web”. Others have expressed their frustration by stating that “this is not enough. What a sham. They gave away my most private data and it will cost them virtually nothing. They had a huge responsibility to protect this data and they did not take it seriously. If there is no real consequence for not protecting data this sensitive, there is no incentive for the company to beef up security to the appropriate level.” To add insult to injury, Equifax and other credit agencies attempted to capitalize on the traffic due to the data breach by selling data-protection services, offending consumers with a user saying, "which I think is also something that makes this Equifax breach galling to people ... it's the same company selling us services to protect ourselves that's now given up our data”. This data breach has also led many consumers to question whether their personal information is in safe hands when entrusted to corporations. Many Americans were not even aware their personal information was included in Equifax’s system until the data breach since they did not have a choice about their data being included in its system.

Slow Press Release
When the CEO was informed of the cyber incident, Mandiant (description) was hired on August 2017 to investigate the cyber breach and the extent of the attack. Additionally, Mandiant aided writing the Public Release that came out on 7 September 2017. This press release came out four months after the data breach had started, informing the public that 50% of Americans were affected. The delay in response sparked outrage again as Congress and Legislature looked to push for another national data breach notification law.

Internal Project Sierra and Project Sparta
During the Mandiant Investigations, Equifax had small team working on fixing these issues. One operation was called Project Sierra that was given to the "overall response to the attack." Another called Project Sparta, Equifax employees working on the project were only informed that “they were working for an unnamed client that had experienced a large data breach.” They were given no details about the victims of the attack or information about the victims. Both projects in fact were for the entirety of Equifax. Additionally, this led to some issues with further employee misconduct.

Cases of insider trading
Jun Ying was a former Chief Information Officer (CIO) for Equifax's US Information Solutions division. He was said to be next in line as global CIO. The SEC charged Ying with "violating antifraud provisions of the federal securities laws and seeking disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief." Ying committed insider trading by investing his stock options and selling shares, receiving nearly $1 million and avoiding losses of $117,000. On March 7, 2019, Ying pleaded guilty to his charges and was sentenced to four months in federal prison and one year of supervised release.

Sudhakar Reddy Bonthu was a former software product development manager. On a project where employees should not have known much else, Bonthu found out information outside of the project. He too was charged with insider trading, buying and selling Equifax stock options through his wife's brokerage account before the public announcement of the Equifax breach. He gained $75,000 after the announcement of the breach. Bonthu was sentenced 8 months of home confinement, fined $50,000, and was ordered to forfeit his stock earnings.

Government Accountability Office
To address weak boundary protections, which allowed access to the various databases, Equifax implemented additional controls at its external boundary to monitor communications and further restricted traffic between internal servers. Equifax also implemented broader programmatic measures. One of these measures was changing the reporting structure of the new Chief Information Security Officer (CISO), who now reports directly to the CEO to allow for greater visibility into cybersecurity risks by top management.

Securities and Exchange Commission
Through the company’s analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators. SEC found that, between October and December 2017, Equifax notified their consumers who had uploaded information to the dispute portal of such breach by mail. In addition, Equifax also provided these consumers individualized notifications with a list of the specific files they had uploaded onto Equifax’s dispute portal and the dates of those uploads.

Federal Trade Commission
July 22, 2019, the FTC and Equifax settlement required Equifax to pay $575 million for relief support. The company also had to provide free credit monitoring and identify theft services and increase their data services security.

House Democratic Report
A report prepared by Democratic staff of the House Committees on Oversight and Government Reform and on Science, Space and Technology proposed four key legislative reforms that can prevent such attacks in the future:


 * 1) Hold federal financial regulatory agencies accountable for their consumer protection oversight responsibilities
 * 2) Require federal contractors to comply with established cybersecurity standards and guidance from the National Institute of Standards and Technology (NIST)
 * 3) Establish high standards for how data breach victims should be notified
 * 4) Strengthen the ability of the Federal Trade Commission (FTC) to levy civil penalties for private sector violations of consumer data security requirements

House Republican Report
The Republican staff on the House Oversight Committee found that had Equifax taken action to address its security issues prior to this cyberattack, the data breach could have been prevented. The Republican staff then proposed seven recommendations that the government should adopt:


 * 1) Empower consumers through transparency
 * 2) Review sufficiency of FTC oversight and enforcement authorities
 * 3) Review effectiveness of identity monitoring and protection services offered to breach victims
 * 4) Increase transparency of cyber risk in private sector
 * 5) Hold federal contractors accountable for cybersecurity with clear requirements
 * 6) Reduce use of social security numbers as personal identifiers
 * 7) Implement modernized IT solutions

Senate Legislation Proposals
On January 10, 2018, Senator Elizabeth Warren introduced the S.2289: Data Breach Prevention and Compensation Act of 2018. This bill establishes civil penalties for violations and directs the FTC to enforce compliance. It creates the Office of Cybersecurity within the FTC that is authorized to:


 * 1) Investigate an agency's compliance with regulations regarding any data breach, and
 * 2) Enjoin an agency from violating specified regulations.

Professionalism and Ethics
In a world where the complexity of personal data is growing at an exponential rate, Equifax became the latest company to publish their data security failures. They exposed the data of millions of Americans to attackers, with little resistance. With more user data being captured and stored by companies worldwide, sometimes without the consent of users, it is important to emphasize the responsibilities these companies have to protect and inform their customers.

Internal management at Equifax led to the biggest data breach in United States history. Their inability to maintain accountability in their workplace is an error that others can learn from and apply to their companies. Management cannot assume that issues in a company have been addressed without proper follow up and assessment.

It is the responsibility of employees to stay informed on the best practices required to fulfill their roles. Equifax employees, specifically software developers who used Apache Struts, should have been alert to the vulnerabilities that arose from incorporating different software in their infrastructure. One of the biggest deviances from best practices was seen in the storage of some of the company's most sensitive data. Despite the industry standard of encrypting login information within databases, both usernames and passwords were stored as plain text. Had developers chosen to encrypt this information, hackers would not have been able to utilize these login credentials without a decryption algorithm, but this mistake made further breach of the system following the initial access much simpler for the attackers.

Company executives hold great influence in the decisions of a company, largely due to the insights they are privy to. Customers expect that these insights are used to grow a company and it’s user base, not to line the pockets of executives at the expense of the customer, as Equifax executives did. Richard R. Best, Director of the SEC’s Atlanta Regional Office said that: “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit”