News Stay informed about the latest enterprise technology news and product updates.

What the GAO Report missed about the Equifax data breach

The Government Accountability Office did its part to deliver some closure regarding the Equifax data breach by way of a newly published report on the now-infamous security incident.

The GAO report offers a comprehensive look at the numerous missteps made by Equifax, which allowed attackers to maintain a presence in the company’s network for 76 days and extract massive amounts of personal data without being detected. Those errors included having an outdated recipient list of system administrators for vulnerability alerts and an expired digital certificate, which led to a misconfiguration in Equifax’s network inspection system.

But for all its merits, the GAO’s report on the Equifax data breach omits or minimizes important parts of the story. Here are five things that were left out of the report.

  1. Website “issues”: The GAO noted the breach checker website that Equifax set up for consumers suffered from “several technical issues, including excessive downtime and inaccurate data.” But that’s hardly an adequate description of what ailed the website. For starters, the domain resembled a classic phishing URL — It was also built on a stock version of WordPress (was the company trying to get hacked again?). And it was vulnerable to cross-site scripting attacks. And the site’s TLS certificate didn’t perform revocation checks. These are significantly bigger problems than website downtime.
  2. PIN problems: If the assortment of flaws with the breach checker website wasn’t enough, astute observers also discovered that the PINs generated for consumers who froze their credit files weren’t random, non-consecutive numbers – they were the date and time a consumer made the freeze request. As a result, the chances of threat actors guessing your code are significantly higher than they would be if the PIN digits were randomly selected.
  3. Encryption: This is the biggest omission in the Equifax breach report. While the report does mention encryption several times, it’s never in regard to the personally identifiable information that was exposed by the breach, and how encryption could have protected that data even after the attackers gained access to Equifax’s environment. Instead, the majority of the encryption talk is around how the threat actors abused existing encrypted communication channels to avoid detection when they issued commands and exfiltrated data. Encryption is obviously a sensitive topic within the federal government, but it’s as if the GAO is more concerned with how encryption helped the attackers rather than with how it could have stopped them.
  4. Insider trading: The GAO report doesn’t include any references to the former Equifax executive who was charged with insider trading by the Department of Justice. Jun Ying, the former CIO of Equifax’s U.S. Information Systems business unit, allegedly used non-public information about the breach to exercise his vested options and sell all of shares. While the case has no direct bearing on Equifax’s infosec posture, past or present, it’s a painful reminder that insider trading can be a by-product of enterprise breaches. Omitting any mention of Ying and the insider trading case from an accountability report seems like a missed opportunity for the federal government to address what could potentially be a reoccurring problem as breaches increase in frequency.
  5. Lack of incident response plan: Incident response is sparsely mentioned in the report, and when the GAO does mention it, it’s in the footnotes. For all the faults and errors laid out in the Equifax breach report, the GAO fails to identify a fundamental problem: the company apparently didn’t have a functional incident response plan in place. This is led to Equifax not only making several errors with its breach checker website but also later missteps, such as not knowing whether the company had encrypted consumer data post-breach. A solid, proper incident response plan would have saved Equifax a lot of trouble in the aftermath of the attack.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

You're on the right track but missing some context.  From having been involved in many breaches over the years, here's some more perspective. 
#1 - it was the "PR firm" they used that had that Word Press site... lesson is even big PR firms are bad at this.  Make sure you get a good PR firm that won't just expect this is a brush-off moment.  "Good" means the PR firm isn't expecting this to "blow over in a few weeks like all the other breaches".  Companies use PR firms for breach sites so that they don't telegraph the release by using their own corporate identity preparing the domain, etc. and because most companies don't have enough PR or IT expertise on staff full time.
#2 Non-story.  Their PIN was like 8-12 digits and the site would lock you out and fraud-flag you after a handful of tries.  I pen-tested it repeatedly.  There was no risk of brute force attacks and multiple guesses.  Yes, the PIN should have been random.  
#3 Encryption.  Ah, the magic panacea.  Encryption of what and how? You mean in-transit? at-rest? (file level? database level? db column or row level? etc.) or even in memory?  Even if you have the database encrypted, if the attacker gets the authorized program to pull the data that decrypts it.  Or the attacker gets the db admin username and password, that bypasses the most common TDE, etc.  Saying "Encryption" is like saying "technology" ... it's meaningless unless you have more context.  You don't know what they had encrypted or how it was bypassed, so hard to draw any conclusions other than EVERY company needs to do better. Duh.  90% of companies I test aren't doing this properly so that's a common issue not a sign of incompetence.
#4 Right, there is a lesson here.  I've noticed in multiple cases that some non-US born workers have not heard of insider trading, don't understand it, and or don't take it seriously.  The OTHER insider trading issue Equifax had was an Indian developer.  So companies need to train ALL their folks better, and don't take it for granted that everybody is starting with the same understanding of US law.  Hello banks... paying attention? 
This isn't bashing anybody, just pointing our the risk and background that impacts it.  Judging from some social media comments even US-born workers are sometimes incredulous they can't sell their stock before it gets hammered.  Note to self- don't buy stock in your own company and you won't be tempted by this dilemma... it's not worth risking 10-20 years in jail!
#5 As I noted in #1... it looks like their "plan" (if you call it that) was to use a well-respected PR firm to help with the technical bits.  Oops.  I bet they don't use them any longer.  Even if you have a competent PR firm... are YOU dealing with the competent team, or a local junior varsity branch? (e.g. the NY-based firm is good but you are talking to the local Nashville branch... your mileage may vary).
The story ends with the conclusion that the CEO, CIO, and CISO all deserved to get fired.  The sad part is some of them got golden parachutes... but you can't recruit top talent replacements if you set the last guys on fire in the town square.