Equifax Was Aware of Cybersecurity Weaknesses for Years, Senate Report Says
The massive Equifax data breach that impacted 148 million Americans in 2017 was the result of years of poor cybersecurity practices, a new Staff Report from the United States Senate’s Permanent Subcommittee on Investigations reveals.
The U.S. credit reporting agency announced in September 2017 that it fell victim to a data breach that was later confirmed to have been the result of successful exploitation of a publicly disclosed Apache Struts vulnerability that the company had been warned about but failed to properly patch.
The attack on Equifax started in May, but was only detected in July, despite thousands of queries sent by threat actors to the company’s databases during that time.
A December 2018 report from the House of Representatives’ Oversight and Government Reform Committee Republicans blasted the company for its poor security practices, and the new U.S. Senate report does that once again, while also providing some more details on Equifax’ failures regarding the incident.
According to the report (PDF), Equifax was aware of security weaknesses in its systems for two years, but failed to properly address them. The critical vulnerability that led to the data breach was patched only months after being publicly reported.
After implementing a Patch Management Policy in April 2015, the company conducted a full audit of its systems and discovered various deficiencies in its system controls, including a backlog of over 8,500 vulnerabilities with overdue patches, including more than 1,000 flaws in external-facing systems.