Congress has issued the most detailed report yet on the Equifax data breach, and it is full of lessons for IT security teams.
The report is 96 pages long, and here are the top highlights.
5 key Equifax failures, according to Congress
- Overall failure at cybersecurity: "Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented."
- IT management failure: "Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner."
- Big data and legacy systems failure: "Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging."
- Failure to maintain visibility across networks: "Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business-critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the
- Failure at
internaland external incident response: “A list of Equifax database owners did not exist. Therefore, Mandiant had to identify and verify database ownership before it was able to begin its analysis... After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed."
As we hear at SecureWorld regional conferences, cybersecurity teams can learn from best practices and also from security mistakes made at other organizations.
You can download the complete Congressional Equifax data breach report here.
Related SecureWorld stories:
Equifax Breach: Will Your Company Get Burned like this on Social Media?