Already being coined as one of the worst data breaches of its kind, Equifax announced on Thursday, September 7, that approximately 143 million people in the U.S.—nearly half of the country’s population— along with an unspecified number of people in Canada and the U.K., could be affected by a cybersecurity incident that occurred between mid-May and July 29. As an international credit reporting agency based in Atlanta, Equifax harbors the sensitive data of nearly 820 million people and over 91 million businesses around the globe.

When data breaches occur—especially ones with a critical impact and a large number of affected consumers such as the recent Equifax incident—the public rightly deserves to know the facts related to the situation. A global, well-funded organization such as Equifax should certainly have the internal resources and expertise to design and implement a comprehensive cybersecurity program, so, a logical question one might ask is, “Why was a vulnerable Internet-facing system left unpatched for so long?”

Given the size of the company and the nature of its business (Equifax collects and provides personal information on many consumers as a part of credit checks and other inquiries) it would seem fair to assume that Equifax’s internal cybersecurity and IT experts understand and are accountable to proper cybersecurity measures, and that the company’s cybersecurity program is adequately funded and staffed. From the details made available regarding the breach, Equifax claims that the breach occurred from an unpatched vulnerability in a commonly used web application server operating system (Apache), and that the specific vulnerability was discovered, reported, and a patch issued for Apache in March of this year, but Equifax neglected to apply the patch to the system that would later be compromised.

Three Key Things to Consider When Examining Root Cause of a Data Breach

As Equifax apparently has a vulnerability management process that involves regularly scanning and patching its systems, many are questioning how this intrusion came to be, and why the company’s processes failed to identify and apply the patch. In examining the root cause of this data breach, here are three key things to consider:

1. Accidents Happen

Even for companies that have mature cybersecurity processes in place, sometimes missteps or control failures can occur. In the case of the Equifax data breach, it’s very likely that the company had a robust security program in place, however, the Apache Struts vulnerability was apparently suppressed in the company’s vulnerability reporting system,  which caused it to not appear in the system’s report activity. Had the issue shown up on the report properly, the company’s threat and vulnerability experts could have notified the responsible areas, as well as followed up to ensure that proper patches were installed. A second, independent vulnerability validation process (see item 3 below) could have helped in this case. Note that vulnerability suppression is not an excuse for this breach, but rather, it is an example of how control processes are not infallible.

2. Cyber Attacks are Inevitable

Companies with large troves of sensitive data in their systems, and especially ones in the sensitive data business, should expect to be targets for attackers in search of data that can be used for identity theft, credit card fraud, or insurance fraud. Equifax was, no doubt, aware of such threats, however, a proactive approach to cybersecurity can be the best strategy for safeguarding against these inevitable attackers.

3. A Layered, Defense-In-Depth Strategy Can Help

A layered, defense-in-depth strategy, such as the one we espouse at LBMC Cybersecurity, includes multiple, layered security controls so that there is rarely a reliance on a single control to provide sole and complete protection, as well as periodic inspections of a company’s security posture to validate that controls are functioning as intended. In the case of this Equifax breach, it didn’t originate from a failure to implement an information security program, but rather a failure in at least one control process within the program. When it comes to vulnerability management, high-risk organizations would be well-served to have a second vulnerability scanning process to serve as a “double check” of the company’s externally accessible systems to ensure that all security vulnerabilities are identified, categorized, inventoried, and remediated in a timely manner. Ideally, this second scanning process should be conducted using a separate vulnerability scanning engine, as well as by a department or entity independent from the internal function that conducts the primary vulnerability scanning processes. Had Equifax implemented a secondary vulnerability scanning process, it is likely that the Struts vulnerability would have been detected and could have been added to the company’s vulnerability management efforts, and the breakdown in the primary vulnerability scanning process would have also been detected and could have been addressed.