Former Equifax CEO Blames One Employee for Massive Hack
After over a year of investigation, the U.S. House of Representatives Oversight and Government Reform Committee have released their report on the Equifax data breach. Their report is scathing, drawing immediate attention to massive failures.
The report calls the hack “entirely preventable” and states that there was “lack of accountability and management structure…complex and outdated IT systems…failure to implement responsible security measurements… [and they were] unprepared to support affected consumers.”
Last year the Apache Struts vulnerability, that had been exploited in the wild for months, was used to gain access to corporate systems. Equifax was even warned about the vulnerability, but failed to properly patch it. The critical Apache Struts vulnerability was publicly disclosed on 7th March last year, and the Department of Homeland Security alerted Equifax on this security flaw the next day.
After a high profile and massive data breach, there were repercussions. From simply not patching their systems, the CEO, CIO, and CISO all lost their jobs. This can be just one of many consequences for not keeping patches up to date. On every level, patching is critical for continued security of businesses.
The company confirmed they sent the alert to over 400 internal staff, instructing them to apply the necessary patch, and also held a meeting on 16th March about the vulnerability. Unfortunately to their great regret, it was too late and the rest is history – 148 million customer details were stolen and distributed over the internet.
As the report was released, the former CEO of Equifax Richard Smith tried to apologize, but threw a single unnamed IT person under the bus. Smith did state that he was “ultimately responsible,” but also said, “An individual did not ensure communication got to the right person to manually patch the application.”
Equifax have since confirmed they implemented outdated perimeter protection to reduce the risk of exposure. Robert Brown, Director of Services at Verismic Software said, “Unfortunately this kind of solution does not protect endpoints outside the network and greatly increases the chances of estate wide exposure on the first infection inside the network.”
The House report, and the CEO’s own admissions, illustrate that even a simple patching strategy would have likely prevented this disaster.