No Mr. Equifax CEO, You Don’t Get to Blame One “IT Guy” for Your Breach

Don’t blame former Equifax CEO Richard Smith that 145.5 million U.S. consumers had their most sensitive credit information stolen under his watch, or that just over 15 million in the U.K. suffered the same fate. It really wasn’t his fault.

To some credit, in prepared testimony, when Mr. Smith recently went to Washington he did say that he was “ultimately responsible” for what happened. And he apologized to every person affected by the breach. That apology rings vacant to the millions of people at greater risk of identity theft today as a result of Equifax’s negligence to protect their data adequately.

And thank you for stating the obvious: of course, you are responsible for what happened. However, as leadership of an enterprise it’s your job to set the priorities and cultural direction that help to make sure these types of breaches don’t happen. In that sense, this breach seems very much your fault in looking at the breach itself, handling of the breach, and then placing consumers at further risk through poor data breach response.

Mr. Smith doesn’t see it this way. At least he isn’t saying so publicly. Mr. Smith went to considerable effort to blame a single unnamed IT administrator for not patching one of Equifax’s portals. He also blamed a vulnerability assessment for its failure to identify the at-risk Apache Struts software.

These statements unmask a startling misunderstanding of how data are secured. And for Equifax data are the very essence of its business. It is the very reason it exists as a company.

Let’s take a look at the central issues around the vulnerability and patching timelines and then why it makes little sense to blame anyone or any specific failure for this breach.

First, Smith in his testimony, explained how Equifax reportedly responded to a March 8 advisory from the U.S. CERT. According to his statement, Equifax’s patching policy demanded a 48-hour patch for the software vulnerability. That didn’t occur, obviously.

According to Smith there was a follow-up scan, which appears to have been a scheduled assessment, and this March 15 assessment should have spotted any vulnerable Apache Struts installations. “Equifax’s efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax web application much longer than it should have,” his statement says.

Additionally, he added, “an individual did not ensure communication got to the right person to manually patch the application,” Smith’s testimony reads.

Today, we now know that Equifax suffered a breach sometime between May and late July as a result of that Apache Struts flaw being exploited.

It’s inconceivable that the CEO of any company — especially any company whose primary value rests with being a good steward of data – blame the breach on bad assessments and communication. Equifax aggregates information on more than 800 million consumers and 88 million businesses. Equifax has one commodity it trades: information and context on that information and consumers it reports upon. That’s it.

Unfortunately, Equifax’s total response to the data breach, and Smith’s subsequent statements, show that he was clueless when it came to how Equifax’s key assets should be managed and protected.

Security is a discipline of layered defenses and controls that all contribute to the adequate prevention, detection, and response to a data breach. Nearly every company will fail, to some degree, at prevention. To have a breach of the magnitude Equifax has experienced one has to fail substantially at prevention, detection, and response.

A number of bad assessments and one IT person’s error is not an acceptable reason to fail at data breach prevention, detection, and response — not a company that is actually trying to secure its assets with adequate security personnel, processes, and tools. And it’s not a reason the world will accept, either.

What could have Equifax done better? According to a story that first broke on Security Boulevard, hints of Equifax slipping in its security efforts had been observed for months by third-party security assessment service BitSight Technologies. In that story, I reported that BitSight graded Equifax an F in Application Security and a D in Patching Cadence, and a C in SPF Domain security. In all other 11 categories that directly impact BitSight’s Security Ratings, Equifax was graded a B or an A.

In the BitSight report one can see the dip in patching attention. And beyond better patching and there also appears to be many things Equifax could have done to increase its chances of thwarting the attack, or mitigating it by detecting and responding sooner through better asset controls, systems segmentation, and monitoring.

Now, I’m not familiar with everything Equifax had in place, I’m basing this opinion on what we now know. I’m certain we will know a lot more about Equifax’s IT environment after the Congressional inquiries and class action lawsuits are finished.

But certainly the breach is not the fault of bad assessment processes and one IT worker. Equifax could certainly have identified the breach had they been looking more closely at application, server, and security device logs. Network monitoring could have picked up data exfiltration across the network. There are many security systems that if properly installed, maintained, and used that could have detected the breach much more rapidly. Better asset management and developer practices could also have played a role, and is an area that could be tightened.

Perhaps Equifax did have such security defenses in place. Based on how everything has happened since the breach I very much doubt they did. Just looking at the late breach announcement, the execs selling stock after the company knew of the breach, the class action waiver that made it into boilerplate legalese to access its free credit monitoring for affected people, and sending people to a phishing website during their response — all clearly present a company devoid of a plan or ability to execute on it.

Even if they did, those systems would also have failed — and that, again, would be just a communication failure of “one IT Guy” or a single botched assessment. It would be a systemic security failure.

Further, the breach of a single server is something a company should anticipate – especially a company such as Equifax – so they should have been on continuous lookout for indicators of compromise.

No, Mr. Smith – you do not get to blame one “IT guy” and a single missed patch for this breach. A good information security program doesn’t work that way, and someone who ran a business whose most important asset was highly sensitive data and the context around that data should have known this.