A review of our current cyber incident response
Summary of the Incident
On September 17, 2017, Equifax announced that a cybersecurity breach had exposed the information of 143 million consumers, a number that was later amended to 148 million. The security breach originated with a vulnerability in the Apache Struts software that Equifax used to run certain applications. The vulnerability was publicly disclosed on March 7, 2017, the Department of Homeland Security notified Equifax of the threat posed by the vulnerability on March 8th, and on March 9th Equifax’s Global Threat and Vulnerability Management team emailed Equifax employees instructing all who were running Apache Struts software to install the patch. However, Equifax failed to install the patch on its Automated Consumer Interview System (ACIS). On May 13th, attackers infiltrated Equifax’s system and located unencrypted usernames and passwords which allowed access to systems outside of ACIS. Equifax was unable to detect the breach due to an expired security certificate, and the infiltration was not discovered until July 30th, 76 days after the attack was initiated.
Investigations
The Consumer Financial Protection Bureau Director at the time, Richard Cordray, authorized an investigation into the the data breach. However, Cordray resigned in November, and Mick Mulvaney, the new Director, halted the probe. Under Mulvaney, the CFPB did not order subpoenas or seek interviews with Equifax executives.
The FBI led a multinational investigation into the data breach and traced the attack to Chinese military-backed hackers Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei. The four were members of China’s 54th Research Institute.
The House Committee on Oversight and Government Reform launched an investigation to identify the conditions that allowed for the breach to occur. The investigators determined that the security breach could have been prevented had Equifax monitored its cybersecurity risks and acted to secure the data. For the private sector, the Committee’s report recommended that credit reporting agencies (CRA) increase transparency in their data collection practices and in its cybersecurity measures and prioritize investment into modernized tools and technology. The Committee recommended that the federal government review whether the FTC has sufficient authorities to effectively monitor CRA’s, that the GAO review current identity monitoring and protection practices, that OMB establish clear requirements for federal contractors to reduce cybersecurity risks, and that the executive branch explore alternatives to Social Security numbers as a means of identification and authorization. The report emphasized the importance of implementing modern IT technology both in the private sector and the federal government and noted the Committee’s passage of the Modernizing Government Technologies Act. The bill passed the House in 2016 but stalled in the Senate.
Senator Elizabeth Warren’s office conducted its own investigation of the Equifax data breach. The Senator requested information from Equifax and questioned the former CEO during a Senate hearing. She also sought information from Experian and TransUnion regarding their cybersecurity practices, and she wrote to the IRS seeking information regarding the agency’s decision to award a contract to verify taxpayer identities to Equifax. The senator also sent letters to federal agencies to ascertain their authorities to prevent and respond to cybersecurity incidents. Her staff reviewed internal investigation reports from Mandiant, the company hired by Equifax to investigate the data breach, and consulted with cybersecurity experts. The report advocated for legislation that would give regulators the authority to exact penalties on corporations that expose consumer data and stressed the need for federal cybersecurity standards.
Recommendations and Policy Changes
The Department of Justice indicted the four members of China’s People’s Liberation Army on February 10, 2020, and a version of the Modernizing Government Technologies Act was tacked onto the 2018 National Defense Authorization Act and signed into law in December 2017.
Equifax agreed to a settlement with the FTC of up to $425 million. Individuals affected by the data breach could file a claim and be compensated up to $25 per hour up to 20 hours spent recovering from identity theft or fraud.
Reports
Hearings
Government Documents
Contemporary Reporting
Ontiveros, Victoria. “Equifax Data Breach.” June 15, 2021