A class-action lawsuit brought upon by former shareholders of credit rating agency Equifax has claimed that the 2017 data breach was the inevitable result of widespread shortcomings in Equifax’s data security systems and that the agency's data protection measures failed to meet the most basic industry standards.
Earlier this year, the US credit rating agency Equifax agreed to pay up to $700m (£561m) to the Federal Trade Commission and state governments as a final settlement amount for the massive data breach it suffered in 2017 that compromised personal details of approximately 147 million people.
The settlement amount included up to $300 million to fund credit monitoring services and other out-of-pocket expenses for millions of citizens whose personal details were compromised by the data breach.
The massive data breach had also resulted in the compromise of driving license numbers, Equifax usernames, passwords, email addresses and partial credit card details of 693,665 British customers as well as phone numbers of a further 167,431 British customers.
"Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud," said Joe Simons, chairman of FTC.
FTC noted that June 2017, Equifax was not aware that its ACIS database was vulnerable to unauthorised access and by then, hackers had exploited its flaws to gain access to an unsecured file that included administrative credentials stored in plain text.
Using these administrative credentials, the hackers then gained access to vast amounts of consumers’ personally identifiable information that included at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates.
Equifax had no visible cyber security policies in place, claim shareholders
A fresh class action lawsuit introduced by US citizens who purchased shares of Equifax between February 25, 2016 and September 15, 2017, has mentioned that Equifax' cyber security prior to the data breach was "dangerously deficient" and that the agency's data protection measures failed to meet the most basic industry standards.
The lawsuit document read that the 2017 data breach "was the inevitable result of widespread shortcomings in Equifax’s data security systems", and that Equifax’s data protection measures were “grossly inadequate,” “failed to meet the most basic industry standards,” and “ran afoul of the well-established mandates of applicable data protection laws.”
"These shortcomings spanned a number of facets of cybersecurity practices, including a failure to implement proper patching protocols, failure to encrypt sensitive information, the storage of sensitive data on public-facing servers, the use of inadequate network monitoring practices, the use of obsolete software, and more," it read.
The plaintiffs added that while Equifax failed to implement an adequate patch management process, it also relied upon a single individual to manually implement its patching process across its entire network. As the individual had no way to know where vulnerable software in need of patching was being run on Equifax’s systems, the patching process fell far short of industry standards.
They also told the U.S. District Court that while Equifax failed to encrypt personal data of millions of its customers, when the agency did encrypt some data, it stored the corresponding encryption keys on the same public-facing servers, making it easy for hackers to decrypt all the data.
In probably the most worrying allegation, the plaintiffs claimed that Equifax' employees used the username "admin" and the password "admin" to log in to a credit disputes management protal that contained a vast trove of personal information, and that Equifax "relied upon four digit pins derived from Social Security numbers and birthdays to guard personal information, despite the fact that these weak passwords had already been compromised in previous breaches".
They also stated that Equifax failed to even maintain activity logs that allow companies to identify unauthorised users, did not set up processes for tracking malicious scripts, and did not implement file integrity monitoring, thereby leaving its systems wide open to unauthorised access and resulting in hackers' enjoying access to sensitive data for over 75 days.
No PAM, no encryption, no password policy, no activity logging, no segmentation
Equifax' cyber security failures also included its failure to implement network segmentation to isolate customer data, leaving thousands of servers exposed on the Internet, failing to create privileged access management policies to restrict wholesale access of employees to customer data, and most importantly, failing to develop a data breach management plan.
"This simply reinforces the notion that good Privileged Access Management practices are the best defense against bad actors. Had the Equifax breach been the result of an extremely smart and motivated hacker doing something amazing to get the data, that would have been one thing.
"But since it’s the case of the target ignoring the bare-minimum of best practices and paying a significant price for the oversight, what happened is alarming. In the case of Equifax, simply doing what’s right (which would have taken about 1 minute to implement) would have saved the company from a world of trouble," says Todd Peterson, IAM evangelist at One Identity.
"Organisations should not treat database security any differently from other security. For instance, they should avoid sharing the admin password. In circumstances when the admin password is issued, they need to make sure they know who it was issued to, for what purpose, and that this has been documented. When employees have admin access, their actions need to be monitored.
"Finally, organisations must implement analytics to determine if and when someone may have gained admin access without their knowledge or permission. To maintain these protocols, organisations should implement a comprehensive and well-designed PAM program and ensure that it includes databases and DBAs along with all other privileged users and admin accounts across all systems," he adds.