House Report states Equifax Breach was Preventable

A recent report from the House of Representatives shed light on the Equifax data breach:

A House Oversight Committee report out Monday has concluded that Equifax’s security practices and policies were sub-par and its systems were old and out-of-date, and bothering with basic security measures — like patching vulnerable systems — could’ve prevented its massive data breach last year.

It comes a little over a year after Equifax, one of the world’s largest credit rating agencies, confirmed its systems had fallen to hackers. Some 143 million consumers around the world were affected — most of which were in the U.S., but also Canada and the U.K. — with that figure later rising to 148 million consumers. Yet, to date, the company has faced almost no repercussions, despite a string of corporate failings that led to one of the largest data breaches in history.

In summary:

The report confirmed most of what was already known, but added new color and insights that were previously unreported. The credit agency failed to patch a disclosed vulnerability in Apache Struts, a common open source web server, which Homeland Security had issued a warning about some months before. The unpatched Apache Struts server was powering its five-decades-old(!) web-facing system that allowed consumers to check their credit rating from the company’s website. The attackers used the vulnerability to pop a web shell on the server weeks later, and managed to retain access for more than two months, the House panel found, and were able to pivot through the company’s various systems by obtaining an unencrypted file of passwords on one server, letting the hackers access more than 48 databases containing unencrypted consumer credit data.