The Equifax hack, exposing 143 million people’s personal data to unknown cybercriminals starting in March but not made public until mid-September, was entirely avoidable. The company was using out-of-date software with known security weaknesses. But it appears that with Equifax, as with many organizations, those were just the beginning of the problems.
During the past three decades we’ve researched, developed and tested millions of lines of software for many purposes, including national defense and security, telecommunications, financial services, health care and online gaming. Over the years we’ve observed that the technical means by which a breach happens often reveal software vulnerabilities that need fixing.
But when the digital weaknesses are publicly known before an attack happens — as with the Equifax case — the more important element is why companies don’t move more quickly to protect themselves and the people whose data they store. As suggested by the sudden departure of three top leaders (including the CEO) at Equifax, some of the problem is technical, but another big reason has to do with management and organizational structure.
Equifax, like most Fortune 100 firms, was using an open-source software platform called Apache Struts to run parts of its website. Every major piece of software has vulnerabilities, almost inevitably. When they’re found, typically the company or organization that writes the software creates a fix and shares it with the world, along with notifications that users should update to the latest version. For regular people, that is often as easy as clicking a button to agree to update an operating system or software application.
For businesses, the process can be much harder. In part that’s because many companies use complex systems of interacting software to run their websites. Changing one element may affect the other parts in unpredictable ways. This problem is especially true when companies use the same hardware and software for many years and don’t keep up with every update along the way. It only makes matters worse when businesses outsource their software development and maintenance, denying themselves in-house expertise to call on when problems arise.
The best practices of cyber hygiene suggest combining development and operations (known as “DevOps”) to simplify the process of regular and prompt patches and updates. Not practicing good cyber hygiene is like a doctor not washing her hands — doing so may take extra time and energy, but it protects thousands of patients from infection.
When cyber hygiene works well, it’s quite effective. In April 2017, news broke of a major flaw in iOS and Android systems that allowed hackers to remotely take over smartphones via Wi-Fi. Google and Apple immediately addressed the issue and distributed patches to fix it. This quick response indicates those companies have development and operations processes that meet industry standards for rapid and reliable writing, testing and rollout of software updates.
Trouble at the top
Beyond the inherent challenges in technology and in current business practices, corporate management can play a significant role in whether problems become disasters.
Companies that have systems for regular investment in software maintenance and rapid reaction to security vulnerabilities can respond to problems very quickly, as Apple and Google did. Equifax’s slow response suggests it wasn’t well prepared that way. And the company’s history of outsourcing development to remote off-shore locations suggests there may not have been anyone in-house who had worked on the software needing updating.
Making matters worse, the chief security officer, who retired along with the company’s chief information officer and CEO in the wake of the breach, appears not to have a technical background. That could help explain why Equifax experienced back-to-back breaches requiring outside assistance: the first in March and another in July.
Well-run companies have top executives who know the importance of having cybersecurity teams ready to work around the clock when vulnerabilities arise. And leaders need to understand the risks of placing sensitive information online, rather than the safer practice of storing it on computers disconnected — or “air-gapped” — from the internet. Unfortunately, when senior executives at companies aren’t tech-savvy, they often lack understanding of what’s at stake and how to quickly protect valuable information.
A long road ahead
It looks like Equifax’s troubles aren’t close to being over. After the major breach was revealed, it didn’t take long for victims to discover that even their attempts to freeze their credit would be thwarted by other examples of Equifax’s poor cyber hygiene: The company-created PIN a customer would use to unfreeze credit was based on the date and time of the freeze request, and therefore potentially guessable by an attacker.
More recently, the company’s official Twitter account repeatedly directed the public not to its own security site but to a phishing site seeking to trick people into disclosing their personal information.
All these problems, on top of Equifax’s slowness in repairing the key software vulnerabilities, point to corporate management as a crucial element in preventing and recovering from security breaches — or making them worse.
Douglas C. Schmidt is professor of Engineering, Computer Science and Computer Engineering at Vanderbilt University and Jules White is assistant professor of Computer Science at Vanderbilt University.