According to a report by the American House Oversight Committee, the hack at Equifax in 2017 was completely preventable. That’s what TechCrunch reports. The company had substandard security practices and policies, according to the report. Systems were also outdated.
In September last year, Equifax, which deals with the creditworthiness of consumers, reported that it had become the victim of hackers. Data from around 148 million consumers worldwide were stolen.
The new report criticizes, among other things, the handling of the hack by former CEO Richard Smith, who “retired” after the hack. He boasted that the company had “almost 1,200 times more” data in its hands than it says in the Library of Congress. However, the report states that Equifax had not done enough to “implement an adequate security program to protect this sensitive data”. The hack would even have been completely preventable.
For example, the company did not detect any vulnerability in Apache Struts after Homeland Security issued a warning about this a few months earlier. The Apache Struts server was running a 50-year-old web-facing system that allowed consumers to view their credit scores via the website.
The attackers used the vulnerability to place a web shell on the server and managed to maintain access for two months. They were then able to comb through the company’s various systems by obtaining a non-encrypted file with passwords on a server. This gave the hackers access to more than 48 databases of consumer credit data that was not encrypted.
Stealing the data was not noticed, because the device that had to monitor the server’s network traffic had been inactive for 19 months due to an expired security certificate. It took another two months for the certificate to be renewed, after which employees immediately noticed suspicious traffic.
“We are deeply disappointed that the committee has decided not to give us enough time to view and respond to the 100-page report with very technical and important information,” said Equifax spokesman Wyatt Jefferies. “During the few hours we were given to take a first look, we discovered significant inaccuracies and we disagree with many of the findings.”This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.