Equifax has reached an agreement with eight states to correct data security deficiencies that led to what may be the most costly breach in corporate history.
The consent order addresses, among other things, Equifax’s failure to patch a software vulnerability, which hackers exploited to compromise the personal information of more than 140 million Americans.
“The company must improve standards and controls for supporting the patch management function,” the order said, adding that “An effective patch management program must be implemented to reduce the number of unpatched systems and instances of extended patching time frames.”
Regulators from California, Texas, New York, North Carolina, Massachusetts, Georgia, Alabama and Maine signed the order. During a joint regulatory examination, they “found deficiencies in several facets of how Equifax operated and managed its information technology systems before the breach,” according to a news release.
“The breach never should have happened,” Jan Lynn Owen, commissioner of the California Department of Business Oversight, said. “This order will help ensure it doesn’t happen again.”
Equifax has confirmed that attackers entered its computer system in May 2017 through a vulnerability in Apache Struts web-application software, a widely used enterprise platform, that had a patch available in March 2017.
In congressional testimony, former CEO Richard Smith said an “individual” in Equifax’s technology department failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach.
Security experts have warned that other organizations may be vulnerable to similar breaches because of the technical challenges involved in patching a flaw in applications software. Some users also fail to maintain a proper inventory of their apps.
Under the consent order, Equifax is required to identify and document a comprehensive IT asset inventory and formalize a process that can routinely identify what patches need to be updated and installed.
The company must also increase oversight of its information security program and important vendors to “ensure sufficient controls are developed to safeguard information” and provide written progress reports to the state regulatory agencies.