The Equifax Data Breach Majority Staff Report One hundred fifteenth Congress

100%

U.S. House of Representatives Committee on Oversight and Government Reform

OVERSIGHT AND GOVERNMENT REFORM

The Equifax Data Breach Majority Staff Report One hundred fifteenth Congress

Executive Summary

On September seven, twenty seventeen, Equifax announced a cybersecurity incident affecting one hundred forty-three million consumers. This number eventually grew to one hundred forty-eight million-nearly half the U.S. population and fifty-six percent of American adults. This staff report explains the circumstances of the cyberattack against Equifax, one of the largest consumer reporting agencies in the world.

Equifax is one of several large consumer reporting agencies in the United States. Consumer reporting agencies gather consumer data, analyze it to create credit scores and detailed reports, and then sell the reports to third parties. Consumers do not voluntarily provide information to consumer reporting agencies, nor do they have the ability to opt out of this information collection process. Though consumer reporting agencies provide a service in facilitating information sharing for financial transactions, they do so by amassing large amounts of sensitive personal data-a high-value target for cyber criminals. Consequently, consumer reporting agencies have a heightened responsibility to protect consumer data by providing best-in-class data security.

In two thousand five, former Equifax Chief Executive Officer Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology systems, and data. While the acquisition strategy was successful for Equifax's bottom line and stock price, this growth brought increasing complexity to Equifax's information technology systems, and expanded data security risks. In August twenty seventeen, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing "almost one thousand two hundred times" the amount of data held in the Library of Congress every day.

Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.

On March seven, twenty seventeen, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Security alerted Equifax to this critical vulnerability. Equifax's Global Threat and Vulnerability Management team emailed this alert to over four hundred people on March nine, instructing anyone who had Apache Struts running on their system to apply the necessary patch within forty-eight hours. The Equifax Global Threat and Vulnerability Management team also held a March sixteen meeting about this vulnerability.

Equifax, however, did not fully patch its systems. Equifax's Automated Consumer Interview System, a custom-built internet-facing consumer dispute portal developed in the nineteen seventies, was running a version of Apache Struts containing the vulnerability. Equifax did not patch the Apache Struts software located within Automated Consumer Interview System, leaving its systems and data exposed.

On May thirteen, twenty seventeen, attackers began a cyberattack on Equifax. The attack lasted for seventy-six days. The attackers dropped "web shells" (a web-based backdoor) to obtain remote control over Equifax's network. They found a file containing unencrypted credentials (usernames and passwords), enabling the attackers to access sensitive data outside of the Automated Consumer Interview System environment. The attackers were able to use these credentials to access forty-eight unrelated databases.

Attackers sent nine thousand queries on these forty-eight databases, successfully locating unencrypted personally identifiable information data two hundred sixty-five times. The attackers transferred this data out of the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration because the device used to monitor Automated Consumer Interview System network traffic had been inactive for nineteen months due to an expired security certificate. On July twenty-nine, twenty seventeen, Equifax updated the expired certificate and immediately noticed suspicious web traffic.

After updating the security certificate, Equifax employees identified suspicious traffic from an IP address originating in China. The suspicious traffic exiting the Automated Consumer Interview System application potentially contained image files related to consumer credit investigations. Equifax discovered it was under active attack and immediately launched an incident response effort.

On July thirty, Equifax identified several Automated Consumer Interview System code vulnerabilities. Equifax noticed additional suspicious traffic from a second IP address owned by a German Internet service provider, but leased to a Chinese provider. These red flags caused Equifax to shut down the Automated Consumer Interview System web portal for emergency maintenance. The cyberattack concluded when Automated Consumer Interview System was taken offline.

On July thirty-one, Chief Information Officer David Webb informed Richard Smith of the cyber incident. Equifax suspected the attackers exploited the Apache Struts vulnerability during the data breach. On August two, Equifax engaged the cybersecurity firm Mandiant to conduct an extensive forensic investigation. Equifax also contacted outside counsel and the Federal Bureau of Investigation to alert them to the cyber incident.

By late August twenty seventeen, Mandiant confirmed attackers accessed a significant volume of consumer personally identifiable information. Equifax launched an effort to prepare for public notice of the breach. As part of this effort, Equifax created a website for individuals to find out whether they were affected by the data breach and, if so, to register for credit monitoring and identity theft services. Equifax also began efforts to stand up a call center capability staffed by one thousand five hundred temporary employees. On September four, Equifax and Mandiant completed a list of one hundred forty-three million consumers affected by the data breach, a number that would later grow to one hundred forty-eight million.

When Equifax informed the public of the breach on September seven, the company was unprepared to support the large number of affected consumers. The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services.

Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax's information technology management structure existed, leading to an execution gap between information technology policy development and operation. This also restricted the company's implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over three hundred security certificates to expire, including seventy-nine certificates for monitoring business critical domains.

Second, Equifax's aggressive growth strategy and accumulation of data resulted in a complex information technology environment. Equifax ran a number of its most critical information technology applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax's information technology systems made information technology security especially challenging. Equifax recognized the inherent security risks of operating legacy information technology systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach.

Equifax held several officials accountable for the data breach. The Chief Information Officer and Chief Security Officer both took early retirements on September fifteen, eight days after the public announcement. Equifax's Chief Executive Officer Richard Smith left the company on September twenty-six. On October two Equifax terminated Graeme Payne, Senior Vice President and Chief Information Officer for Global Corporate Platforms, for failing to forward an email regarding the Apache Struts vulnerability. Payne, a highly-rated employee for seven years and a senior manager of nearly four hundred people, managed a number of information technology systems within Equifax, including Automated Consumer Interview System. On October three, Richard Smith testified before Congress blaming human error and a failure to communicate the need to apply a patch as underlying reasons for the breach.

Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.

Apache Struts Project Management Committee announces the CVE-two thousand seventeen-five hundred sixty-eight vulnerability affecting Apache Struts and releases the patch.

March eight, twenty seventeen

The United States Computer Emergency Readiness Team sends Equifax an alert to patch the particular vulnerability in Apache Struts software.

March nine, twenty seventeen

Equifax's Global Threat and Vulnerability Management team disseminates US-CERT notification internally by email requesting responsible personnel apply the critical patch within forty-eight hours.

March ten, twenty seventeen

First evidence of attackers exploiting the Apache Struts vulnerability on servers connected to the Equifax network.

March fifteen, twenty seventeen

Equifax's Security team runs scans to identify any systems containing the Apache Struts vulnerability. The scans did not detect the vulnerability on any externally facing systems.

May thirteen, twenty seventeen

Attackers enter the Equifax network through the Apache Struts vulnerability located within the Automated Consumer Interview System application and drop web shells onto the Equifax system.

May thirteen, twenty seventeen - July thirty, twenty seventeen

Timeframe during which hackers gained unauthorized access to Equifax databases through an Equifax legacy environment. Attackers perform approximately nine thousand queries to sensitive databases within Equifax system.

July twenty-nine, twenty seventeen

Equifax renews the expired security certificate for the device monitoring ACIS network traffic. The certificate was expired for nineteen months.

Equifax's Security team observes suspicious network traffic associated with its ACIS web application. In response, Equifax blocks the suspicious traffic.

July thirty, twenty seventeen

Equifax's Security team continues to monitor network traffic and observes additional suspicious activity. Equifax takes the ACIS application offline.

Graeme Payne, Senior Vice President and Chief Information Officer for Global Corporate Platforms, informs David Webb, Chief Information Officer, of the security incident.

July thirty-one, twenty seventeen

Equifax staff determines personally identifiable information may have been exfiltrated as a part of the intrusion.

David Webb informs Chief Executive Officer Richard Smith of the security incident.

August two, twenty seventeen

Equifax engages law firm King and Spalding and hires cybersecurity firm Mandiant to conduct a forensic review of the breach. Equifax also informs the Federal Bureau of Investigation.

August eleven, twenty seventeen

Mandiant determines hackers may have accessed a database table containing large amounts of consumers' personally identifiable information.

August seventeen, twenty seventeen

Equifax holds a senior leadership team meeting to discuss Mandiant's preliminary findings from the data breach investigation.

August twenty-four, twenty seventeen

Mandiant confirms volume of personally identifiable information accessed and begins to develop an approach with Equifax database owners to determine the identity of affected consumers.

August twenty-four to twenty-five, twenty seventeen

Chief Executive Officer Richard Smith holds telephonic meetings with Equifax Board of Directors and informs the full Board of the breach.

September four, twenty seventeen

Based on Mandiant's investigation, Equifax compiles a list of one hundred forty-three million U.S. consumers whose personal information may have been compromised.

September seven, twenty seventeen

Equifax notifies the public of the breach. Equifax states the information accessed by attackers included names, Social Security numbers, dates of birth, addresses, driver's license numbers, credit card numbers, and dispute documents.

September fourteen, twenty seventeen

The House Committee on Oversight and Government Reform and the House Committee on Science, Space, and Technology launch an investigation into the Equifax data breach.

September fifteen, twenty seventeen

Equifax Chief Information Officer David Webb and Chief Security Officer Susan Mauldin announce their retirements.

September twenty-six, twenty seventeen

Equifax Chief Executive Officer Richard Smith announces his retirement.

October two, twenty seventeen

Mandiant completes its forensic investigation, concluding the potential number of victims was two point five million more than originally reported.

Equifax terminates Graeme Payne for failing to forward the March nine Global Threat and Vulnerability Management email alert regarding the patch for the Apache Struts vulnerability.

October three, twenty seventeen

Richard Smith testifies before the Subcommittee on Digital Commerce and Consumer Protection of the House Committee on Energy and Commerce.

March one, twenty eighteen

Equifax releases updated information on the twenty seventeen breach, indicating the attackers accessed information including names and partial driver's license information of an additional two point four million U.S. consumers.

The Consumer Reporting Agency Business Model and Use of Personally Identifiable Information

Your Exposure to Equifax

B. Equifax - Aggressive Growth and Increasing Risk in Data Intrusive Industry

One. Equifax Corporate Profile

Two. CEO Richard Smith's Growth Strategy

Three. "Massive Amounts" of Data Equals Massive Security Risks

Four. Key Equifax Officials Responsible for IT and Security

Two. Regulations for Consumer Reporting Agencies

A. FTC and CFPB Authority over Consumer Reporting Agencies

One. Federal Trade Commission Act

Two. Dodd-Frank Act

Three. Fair Credit Reporting Act

Four. Gramm-Leach-Bliley Act

B. Breach Notification and Disclosure Requirements

Three. Anatomy of the Equifax Data Breach

A. Apache Struts Vulnerability Publicized, Equifax Attempts to Patch (February - March twenty seventeen)

B. Attackers Breach Equifax and Remain Undetected for seventy-six Days (May - July twenty seventeen)

C. Equifax Detects the Data Breach and Initiates Project Sierra (July - August twenty seventeen)

Four. Equifax Notifies the Public of the Massive Data Breach

One. Equifax Briefs Senior Leaders and Begins Forensic Investigation

Two. Equifax Launches Project Sparta and Prepares Call Centers

B. September twenty seventeen - Equifax Notifies the Public

One. September seven, twenty seventeen - Equifax Publicly Announces the Data Breach

Equifax Cybersecurity Incident:

Two. Other Stakeholders React to Equifax Announcement

Three. Website and Call Centers Overwhelmed

a. EquifaxSecurity2017 dot com Issues

B. Call Center Frustrations

Four. Three Senior Equifax Officials "Retire"

C. October twenty seventeen - Forensic Investigation Completed and Senior Equifax Employee Fired

One. October two, twenty seventeen - Two point five Million More Victims Announced

Two. Senior Equifax Employee Terminated for "Failing to Forward an Email"

D. Early twenty eighteen - Victim Total Rises to One Hundred Forty-Eight Million

E. Mandiant's Forensic Analysis Was Challenging

V. Specific Points of Failure: Equifax's Information Technology and Security Management

A. Equifax IT Management Structure Lacked Accountability and Coordination

Two. Operational Effect of the Organizational Structure

Three. Equifax's Organizational Structure Allowed Ineffective IT Coordination

B. Equifax Had Serious Gaps between IT Policy Development and Execution

One. Equifax's Patch Management Process

a. Patching Process Failed Following March ninth, twenty seventeen Apache Struts Alert

B. Equifax Was Aware of Issues with the Patching Process

Two. Equifax's Certificate Management Process

C. Equifax Ran Business Critical Systems on Legacy IT with Documented Security Risks

One. Equifax's Company Expansion Created Highly Complex IT Infrastructure

Two. Composition of the Legacy ACIS Environment

Three. Equifax Did Not Know What Software Was Used Within Its Legacy Environments

Four. Security Concerns Specific to the ACIS Legacy Environment

Five. Modernization Efforts Underway at the Time of the Breach

Six. Equifax Remediation Efforts

A. Mandiant's Remedial Recommendations

B. twenty eighteen Consent Order with State Regulatory Agencies

C. GAO Findings

D. Remediation Steps Reported to SEC

E. Equifax's Updated Approach to Cybersecurity

F. Equifax Officials on Remediation

VII. Recommendations

Recommendation two: Review Sufficiency of FTC Oversight and Enforcement Authorities

Recommendation three: Review Effectiveness of Identity Monitoring and Protection Services Offered to Breach Victims

Recommendation four: Increase Transparency of Cyber Risk in Private Sector

Recommendation five: Hold Federal Contractors Accountable for Cybersecurity with Clear Requirements

Recommendation six: Reduce Use of Social Security Numbers as Personal Identifiers

Recommendation seven: Implement Modernized IT Solutions

Overview

The report outlines the events surrounding the Equifax data breach, a significant cybersecurity incident that exposed sensitive personal data of millions of consumers. It highlights the company's inadequate security measures and the accountability issues within its management that led to the failure to prevent the breach.

Key Points

1The Equifax data breach affected nearly half of the U.S. population
2Failure to patch known vulnerabilities allowed attackers access to sensitive data
3Internal management issues complicated Equifax's cybersecurity response
4The breach highlighted the risks associated with legacy information systems
5Several Equifax executives resigned in the aftermath of the incident

Details

Authors: U.S. House of Representatives Committee on Oversight and Government Reform
Category: Government and Policy

PDF
From Middle Power to Great Power: A Path Forward for Canada
This paper argues that Canada must adopt a more realist foreign policy in response to a changing international environment, moving away from its traditional middle power status towards a more independent and powerful global stance.
PDF
Guidelines for the Motu Proprio Review of Mergers and Acquisitions in Digital Markets
This document provides guidelines issued by the Philippine Competition Commission for the review of mergers and acquisitions in digital markets, aimed at ensuring competition and preventing anti-competitive practices.
PDF
PHILIPPINE COMPETITION COMMISSION
This document outlines the guidelines for the motu proprio review of mergers and acquisitions in digital markets by the Philippine Competition Commission, detailing legal justifications, indicators for potential competition issues, and examples of transactions that may require review.
PDF
Unclear by Design: Strategic Ambiguity in Ireland's Military Neutrality Policy
This paper analyzes Ireland's military neutrality policy, highlighting how strategic ambiguity in its articulation allows for flexibility and aligns with varying domestic and international expectations while avoiding the costs of explicit commitments.
PDF
Finance Minister Nicola Willis warned New Zealand not to exp
Finance Minister Nicola Willis warned New Zealand not to expect a lolly scramble in Budget 2026, and anyone holding out hope for an election-year surprise may come away disappointed. The Government’s Budget,