Sole Equifax security worker at fault for failed patch, says former CEO
Someone failed to order the patch. If it was you, c'mere, have a hug. And a new identity
Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz's IT security breach on a single member of the company's security team.
In testimony on Tuesday before a US House subcommittee on consumer protection, Smith explained that Equifax has a protocol whereby news of important software patches is communicated to the appropriate people within a certain time. When details of security vulnerability CVE-2017-5638 landed in March 2017, bearing bad news about Apache Struts, that protocol broke down at Equifax due to human error, meaning no one was told to apply patches for the flaw. And, astonishingly, this is all one person's fault rather than an obvious failure for the business as a whole, according to Smith.
Equifax CEO falls on his sword weeks after credit biz admits mega-breachREAD MORE
Hackers ultimately exploited the Struts bug on Equifax's systems to infiltrate the organization and swipe sensitive personal records, including social security numbers, of more than 140 million folks in the US, UK and Canada.
“The human error was the individual who is responsible for communicating in the organisation to apply the patch, did not,” Smith told the subcommittee at around the 1:05:15 mark in the video below.
Congressman Greg Walden sought clarification of that statement, asking “Does that mean that that individual knew the software was there, and it needed to be patched, and did not communicate that to the team that does the patching? Is that the heart of the issue here?”
Smith's reply was: “That is my understanding, sir.”
Smith said the company had otherwise followed its protocol of distributing information on necessary patches and that in the case of CVE-2017-5638 its procedures were observed, except by the individual mentioned above.
The former CEO said the second cause of the attack was a failure of automated scanning conducted a week after the patch should have been applied. For as-yet-unknown reasons, scans did not detect the presence of un-patched Struts implementations.
Smith spent more than two-and-a-half hours testifying and, after apologising and taking responsibility for the hack, spent much of that time defending Equifax's decision to withhold news of the hack for many days after discovering it. Smith repeatedly justified the delay on grounds of avoiding further attacks and ensuring consumer protection measures could be in place.
“It did not help that hurricane Irma took down two of our larger call centres in the early days after the breach,” he said.
Committee members were not kind to Smith, who did not flinch in the face of stern criticism of Equifax's security practices and response. He even fired back a little, suggesting that “we need a public-private-partnership to best secure Americans' data going forward.” That idea was modified a little by his interrogators, who suggested regulation of credit bureaux rather than the wider economy. ®
Sponsored: Becoming a Pragmatic Security Leader