In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the Government Accountability Office’s report on the Equifax breach and the questions it raises.
The U.S. General Accountability Office offered a detailed postmortem on the 2017 Equifax data breach, including new details about what led to the incident.
The Equifax breach report revealed that threat actors began scanning the credit rating agency’s systems for an Apache Struts vulnerability just two days after the vulnerability was publicly disclosed.
And while the Apache Struts bug enabled the attackers to gain a foothold in Equifax’s network, the General Accountability Office (GAO) report shows the vulnerability was just one of the many missteps that contributed to the breach. Those errors include missing 9,000 database queries made by the threat actors in search of valuable data, failing to catch data exfiltration because of a misconfiguration and an outdated recipient list of system administrators who should have been notified of the Apache Struts flaw.
In addition, the Equifax breach report describes how U.S. government agencies were unclear about which — if any — federal agency was coordinating the response effort; the U.S. Department of Homeland Security offered assistance, but Equifax turned it down. Several agencies, including the IRS, U.S. Postal Service and Social Security Administration, used Equifax’s identity verification services at the time of the breach.
What were the biggest lessons learned from the Equifax data breach report? What did the GAO investigation miss? Should companies like Equifax that handle massive amounts of personal data be subject to greater government oversight? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.