The Government Accountability Office (GAO) released its report Friday on the major breach that occurred at Equifax in 2017. The report summarizes the events surrounding the breach and the steps taken by Equifax to assess, respond to, and recover from the incident and also describes actions by federal agencies to respond to the breach. GAO reviewed documents from Equifax and its cybersecurity consultant related to the breach and visited the Equifax data center in Alpharetta, Ga., to interview officials and observe physical security measures. GAO also reviewed relevant public statements filed by Equifax and analyzed documents from the Internal Revenue Service (IRS), Social Security Administration (SSA), and U.S. Postal Service (USPS).
In July 2017, Equifax system administrators discovered that attackers had gained unauthorized access via the Internet to the online dispute portal that maintained documents used to resolve consumer disputes. The Equifax breach resulted in the attackers accessing personal information of at least 145.5 million individuals. Equifax’s investigation of the breach identified four major factors including identification, detection, segmenting of access to databases, and data governance that allowed the attacker to successfully gain access to its network and extract information from databases containing personally identifiable information. Equifax reported that it took steps to mitigate these factors and attempted to identify and notify individuals whose information was accessed. The company’s public filings since the breach occurred reiterate that the company took steps to improve security and notify affected individuals.
The breach involved at least 9,000 queries to 51 databases over a period of 76 days. Attackers began scanning Equifax’s systems for a vulnerability in Apache Struts within two days of the vulnerability’s public disclosure. While the flaw was located quickly, GAO finds Equifax’s own systems not only failed to find the vulnerability, they failed to spot the intrusion for weeks following its initial success.
The GAO report points to a number of different issues at Equifax, each contributing to the possibility and severity of the breach. The security issues ranged from bad network architecture to a failure to establish limits on the number of database queries possible from a single address.
GAO reports that IRS, SSA, and USPS, three of the major federal customer agencies that use Equifax’s identity verification services, conducted assessments of the company’s security controls, which identified a number of lower-level technical concerns that Equifax was directed to address. The agencies also made adjustments to their contracts with Equifax, such as modifying notification requirements for future data breaches. In the case of IRS, one of its contracts with Equifax was terminated.
The Department of Homeland Security offered assistance in responding to the breach; however, Equifax reportedly declined the assistance because it had already retained professional services from an external cybersecurity consultant. In addition, the Bureau of Consumer Financial Protection and the Federal Trade Commission, which have regulatory and enforcement authority over consumer reporting agencies such as Equifax, initiated an investigation into the breach and Equifax’s response in September 2017. The investigation is ongoing.
While GAO is not making recommendations in this report, it plans to issue separate reports on federal oversight of consumer reporting agencies (CRAs) and consumer rights regarding the protection of personally identifiable information collected by such entities.
