Hackers were able to perpetrate last year’s massive data breach at Equifax because there was a “culture of cybersecurity complacency” at the credit reporting bureau, a congressional report has concluded.
The House Committee on Oversight and Government Reform said the breach, which compromised the personal information of about 148 million consumers, was “entirely preventable,” faulting Equifax for, among other things, failing to promptly patch a known security vulnerability in March 2017.
After exploiting the flaw in Apache Struts, a popular open source framework for creating Java apps, the hackers were able to access more than 48 databases containing unencrypted consumer credit data. The attack lasted 76 days before Equifax employees discovered it in July 2017.
“A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals,” the report said.
The breach was one of the largest in corporate history, with experts estimating total costs incurred by Equifax could be well over $600 million. It followed a period of rapid growth at the company under then-CEO Richard Smith, who boasted in an August 2017 speech that Equifax managed “almost 1,200 times” as much data as the Library of Congress.
“Having so much personal information in one place made Equifax a prime target for hackers … Equifax was unprepared for these risks,” the House committee said.
Security experts previously concluded hackers exploited the Apache Struts flaw but the House report details that it was located within Equifax’s ACIS environment, a portal built in the 1970s that allowed consumers to check their credit rating from the company’s website.
A patch for the vulnerability, which was made available on the same day the flaw was publicly disclosed, should have been applied within 48 hours. Equifax’s ACIS system, however, was not patched until the hack was discovered.
In the meantime, the report said, the hackers were able to bypass the system’s firewalls, upload malicious script to enable remote control of servers and then download data on 265 separate occasions.
There was a “pronounced” disconnect between Equifax’s patch management policy and its execution, the committee said.