StudyDaddy Article Writing • Review  Equifax breach article in attached file . Please provide a detailed description of how the attack occurred. Also discuss what factors from policy, personnel, and technology perspectives that

• Review  Equifax breach article in attached file . Please provide a detailed description of how the attack occurred. Also discuss what factors from policy, personnel, and technology perspectives that

U.S. House of Representatives Committee on Oversight and Government Reform The Equifax Data Breach Majority Staff Report 115th Congress December 2018 2 Executive Summary On September 7, 2017, Equifax announced a cybersecurity incident affecting 143 million consumers. This number eventually grew to 148 million — nearly half the U.S. population and 56 percent of American adults. This staff report explains the circumstances of the cyberattack against Equifax, one of the largest consumer reporting agencies (CRA) in the world. Equifax is one of several large CRAs in the United States. CRAs gather consumer data, analyze it to create credit scores and detailed reports, and then s ell the reports to third parties. Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt out of this information collection process. Though CRAs provide a service in facilitating information sharing for financial tran sactions, they do so by amassing large amounts of sensitive personal data — a high -value target for cyber criminals. 1 Consequently, CRAs have a heightened responsibility to protect consumer data by providing best -in-class data security. In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s bott om line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks. In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing “almost 1,200 times” the amount of data held in the Library of Congress every day. 2 Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable. On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Se curity alerted Equifax to this critical vulnerability. Equifax’s Global Threat and Vulnerability Management (GTVM) team emailed this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on their system to apply the necessar y patch within 48 hours. The Equifax GTVM team also held a March 16 meeting about this vulnerability. Equifax, however, did not fully patch its systems . Equifax’s Automated Consumer Interview System (ACIS) , a custom -built internet -facing consumer disput e portal developed in 1 After the Breach: The Monetization and Illicit Use of Stolen Data: Hearing Before the Subcomm. on Terrorism & Illicit Finance of the H. Comm. on Financial Servs. , 115th Cong. (2018) (testimony of Lillian Ablon, RAND Corporation); see also J.P.M ORGAN , CYBERCRIME : THIS IS WAR 1 (2013), https://www.jpmorgan.com/tss/General/Cybercrime_This_Is_War/1320514323773 . (“Due to its potentially high value and its use in facilitating fraud through additional channels, PII has become a valuable commodity in the world of cybercrime.”). 2 Richard Smith, Chief Exec. Officer, Equifax, Address to the Terry College of Business at the University of Georgia (Aug. 17, 2017), https: //www.youtube.com/watch?v=lZzqUnQg -Us . 3 the 1970s , was running a version of Apache Struts containing the vulnerability . Equifax did not patch the Apache Struts software located within ACIS , leaving its systems and data exposed . On May 13, 2017, attackers began a cyberatta ck on Equifax. The attack lasted for 76 days. The attackers dropped “web shells” (a web -based backdoor) to obtain remote control over Equifax’s network . They found a file containing unencrypted credentials (usernames and passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The attackers were able to use these credentials to access 48 unrelated databases. Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable in formation (PII) data 265 times. The attackers transferred this data out of the Equifax environment, unbeknownst to Equifax . Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months du e to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic. After updating the security certificate, Equifax employees identified suspicious traffic from an IP address o riginating in China. The suspicious traffic exiting the ACIS application potentially contained image files related to consumer credit investigations. Equifax discovered it was under active attack and immediately launched an incident response effort. On Ju ly 30, Equifax identified several ACIS code vulnerabilities. Equifax noticed additional suspicious traffic from a second IP address owned by a German ISP, but leased to a Chinese provider. These red flags caused Equifax to shut down the ACIS web portal for emergency maintenance. The cyberattack concluded when ACIS was taken offline. On July 31, Chief Information Officer (CIO) David Webb informed Richard Smith of the cyber incident. Equifax suspected the attackers exploited the Apache Struts vulnerability during the data breach. On August 2, Equifax engaged the cybersecurity firm Mandiant to conduct an extensive forensic investigation. Equifax also contacted outside counsel and the Federal Bureau of Investigation to alert them to the cyber incident. By late August 2017, Mandiant confirmed attackers accessed a significant volume of consumer PII. Equifax launched an effort to prepare for public notice of the breach. As part of this effort , Equifax created a website for individuals to find out whether th ey were affected by the data breach and, if so, to register for credit monitoring and identity theft services. Equifax also began efforts to stand up a call center capability staffed by 1,500 temporary employees. On September 4, Equifax and Mandiant comple ted a list of 143 million consumers affected by the data breach, a number that would later grow to 148 million. When Equifax informed the public of the breach on September 7 , the company was unprepared to support the large number of affected consumer s. The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services. 4 Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and oper ation. This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business crit ical domains. Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on cu stom - built legacy systems. Both the complexity and antiquated nature o f Equifax’s IT systems made IT security especially challenging. Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to pre vent the breach. Equifax held several officials accountable for the data breach. The CIO and Chief Security Officer (CSO) both took early retirements on September 15, eight days after the public announcement. Equifax’s CEO Richard Smith left the company on September 26. On October 2 Equifax terminated Graeme Payne, Senior Vice President and Chief Information Officer for Glob al Corporate Platforms, for failing to forward an email regarding the Apache Struts vulnerability. Payne, a highly -rated employee for seven years and a senior manager of nearly 400 people, managed a number of IT systems within Equifax, including ACIS. On O ctober 3, Richard Smith testified before Congress blaming human error and a failure to communicate the need to apply a patch as underlying reasons for the breach. Equ ifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented. 5 Table of Contents Executive Summary ................................ ................................ ................................ .................... 2 Commonly Used Names and Acronyms ................................ ................................ .................. 7 Timeline of Key Events ................................ ................................ ................................ ............... 8 I. The Consumer Reporting Agency Business Model and Use of Personally Identifiable Information ................................ ................................ ............................... 13 A. Consumer Reporting Agency Business Model ................................ ................................ .. 13 B. Equifax – Aggressive Growth and Increasing Risk in Data Intrusive Industry ................. 15 1. Equifax Corporate Profile ................................ ................................ .............................. 15 2. CEO Richard Smith’s Growth Strategy ................................ ................................ ......... 17 3. “Massive Amounts” of Data Equals Massive Security Risks ................................ ........ 18 4. Key E quifax Officials Responsible for IT and Security ................................ ................ 19 II. Regulations for Consumer Reporting Agencies ................................ ....................... 20 A. FTC and CFPB Authority over Consumer Reporting Agencies ................................ ........ 20 1. Federal Trade Commission Act ................................ ................................ ...................... 20 2. Dodd -Frank Act ................................ ................................ ................................ .............. 21 3. Fair Credit Reporting Act ................................ ................................ ............................... 22 4. Gramm -Leach -Bliley Act ................................ ................................ ............................... 23 B. Breach Notification and Disclosure Requirements ................................ ............................ 25 III. Anatomy of the Equifax Data Breach ................................ ................................ .......... 27 A. Apache Struts Vulnerability Publicized, Equifax Attempts to Patch (Feb. – Mar. 2017) . 27 B. Attackers Breach Equifax and Remain Undetected for 76 Days (May – July 2017) ........ 31 C. Equifax Detects the Data Breach and Initiates Project Sierra (July – Aug. 2017) ............. 34 IV. Equifax Notifies the Publi c of the Massive Data Breach ................................ ......... 40 A. Preparations for September 7, 2017 Public Notice ................................ ............................ 40 1. Equifax Briefs Senior Leaders and Begins Forensic Investigation ................................ 40 2. Equifax Launches Project Sparta a nd Prepares Call Centers ................................ ......... 42 B. September 2017 – Equifax Notifies the Public ................................ ................................ .. 43 1. September 7, 2017 – Equifax Publicly Announces the Data Breach ............................. 43 2. Other Stakeholders React to Equifax Announcement ................................ .................... 44 3. Website and Call Centers Overwhel med ................................ ................................ ....... 45 a. EquifaxSecurity2017.com Issues ................................ ................................ ............ 45 b. Call Center Frustrations ................................ ................................ .......................... 48 4. Three Senior Equifax Officials “Retire” ................................ ................................ ........ 48 6 C. October 2017 – Forensic Investigation Completed and Senior Equifax Employee Fired . 49 1. October 2, 2017 – 2.5 Mil lion More Victims Announced ................................ ............. 49 2. Senior Equifax Employee Terminated for “Failing to Forward an Email” .................... 50 D. Early 2018 – Victim Total Rises to 148 Million ................................ ................................ 52 E. Mandiant’s Forensic Analysis Was Challenging ................................ ............................... 54 V. Specific Points of Failure: Equifax’s Information Technology and Security Management ................................ ................................ ................................ .................... 55 A. Equifax IT Management Structure Lacked Accountability and Coordination .................. 55 1. IT Organizational Structure at the Time of the Breach ................................ .................. 55 2. Operational Effect of the Organizational Structure ................................ ........................ 58 3. Equifax’s Organizational Structure Allowed Ineffective IT Coordination .................... 60 B. Equifax Had Serious Gaps between IT Policy Development and Execution .................... 62 1. Equifax’s Patch Management Process ................................ ................................ ........... 63 a. Patching Process Failed Following March 9, 2017 Apache Struts Alert ................ 64 b. Equifax Was Aware of Issues with the Patching Process ................................ ....... 68 2. Equifax’s Certificate Management Process ................................ ................................ ... 70 C. Equifax Ran Business Critical Systems on Legacy IT with Documented Security Risks . 71 1. Equifax’s Company Expansion Created Highly Complex IT Infrastructure ................. 71 2. Composition of the Legacy ACIS Environment ................................ ............................ 72 3. Equifax Did Not Know What Software Was Used Within Its Legacy Environments ... 74 4. Security Concerns Specific to the ACIS Legacy Environment ................................ ...... 75 5. Modernization Efforts Underway at the Time of the Breach ................................ ......... 81 VI. Equifax Remediation Efforts ................................ ................................ ........................ 85 A. Mandiant’s Remedial Recommendations ................................ ................................ .......... 85 B. 2018 Consent Order with State Regulatory Agencies ................................ ........................ 87 C. GAO Findings ................................ ................................ ................................ .................... 88 D. Remediation Steps Reported to SEC ................................ ................................ .................. 90 E. Equifax’s Updated Approach to Cybersecurity ................................ ................................ . 90 F. Equifax Officials on Remediation ................................ ................................ ...................... 92 VII. Recommendations ................................ ................................ ................................ ......... 94 7 Commonly Used Names and Acronyms Chief Executive Officer Mark Begor , April 2018 - present Paulino do Rego Barros Jr. , Interim , September 2017 - March 2018 Richard Smith , December 2005 - September 2017 Chief Information Officer (now known as Chief Technology Officer) Bryson Koehler , June 2018 - present David Webb , January 2010 - September 2017 Robert Webb , November 2004 - July 2009 Chief Security Officer (now known as Chief Information Security Officer) Jamil Farshchi , February 2 018 - present Russ Ayres , Deputy , February 2018 - present Interim , September 2017 - February 2018 Susan Mauldin , August 2013 - September 2017 Tony Spinelli , September 2005 - March 2013 Senior Equifax Officials John J. Kelley , Chief Legal Officer, January 2013 - present Graeme Payne , Senior Vice President and Chief Information Officer for Global Corporate Platforms, March 2011 - October 2017 ACIS Automated Consumer Interview System CFBP Consumer Financial Protection Bureau CIO Chief Information Officer CRA Consumer Reporting Agency CSO Chief Security Officer FCRA Fair Credit Reporting Act FTC U.S. Federal Trade Commission GLBA Gramm -Leach -Bliley Act GTVM Global Threat and Vulnerability Management NIST National Institute of Standards and Technology PII Personally Identifiable I nformation SEC U.S. Securities and Exchange Commission SSL Secure Sockets Layer US -CERT U.S. Computer Emergency Readiness Team 8 Timeline of Key Events March 7, 2017  Apache Struts Projec t Management Committee announces the CVE -2017 -5638 vulnerability affecting Apache Struts and releases the patch .3 March 8, 2017  The United States Computer Emergency Readiness Team (US -CERT) sends Equifax an alert to patch the particular vulnerability in Apache Struts software. 4 March 9, 2017  Equifax ’s Global Threat and Vulnerability Management (GTVM) team disseminates US - CERT notification internally by email requesting responsible personnel apply the critical patch within 48 hours. 5 March 10, 2017  First evidence of attackers exploiting the Apache Struts vulnerability on servers connected to the Equifax network. 6 March 1 5, 2017  Equifax’s S ecurity team runs scans to identify any systems containing the Apache Struts vulnerability. The scans di d not detect the vulnerability o n any externally facing systems. 7 3 Apache Software Foundation, Response From The Apache Software Foundation to Questions from US House Committee on Energy and Commerce Regarding Equifax Data Breach , APACHE SOFTWARE FOUNDATION BLOG (Oct. 3, 2017), htt ps://blogs.apache.org/foundation/entry/responses -to-questions -from -us. 4 Email from U.S. Computer Emergency Readiness Team, to GTVM, Equifax (Mar. 8, 2017, 7:31:16 PM) (on file with Committee, EFXCONG -SSTOGR000000060). 5 Email from GTVM, Equifax, to GTVM Alerts, Equifax (Mar. 9, 2017, 9:31:48 AM) (on file with Co mmittee, EFXCONG -SSTOGR000000508 ). 6 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space , & Tech. Staff (Aug. 17, 2018). 7 Email from Berlene Herren, Vice Pre sident Cyber Threat Resistance, Equifax, to Jamie Fike, Workforce Solutions, Equifax (Mar. 15, 2017, 1:56:38 PM) (on file with Comm ittee, EFXCONG -SSTOGR000000510); see also Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Sub comm. on Digital Commerce & Consumer Prot. of the H. Comm. on Energy & Commerce , 115th Cong. (2017) (prepared written statement of Richard Smith , Former Chief Exec. Officer, Equifax). 9 May 13, 2017  Attackers enter the Equifax network through the Apache Struts vulnerability located within the Automated Consumer Interview System (ACIS) application and drop web shells onto the Equifax system. 8 May 13, 2017 - July 30, 2017  Timefr ame during which hackers gained unauthorized access to Equifax databases through an Equifax legacy environment. 9 Attackers perform approximately 9,000 queries to sensitive databases within Equifax system. 10 July 29, 2017  Equifax renews the expired security certificate for the device monitoring ACIS network traffic. The certificate was expired for 19 months.  Equifax’s S ecurity team observ es suspicious network traffic associated with its ACIS web application. In response, Equifax blocks the suspicious traffic. 11 July 30, 2017  Equifax’s S ecurity team continues to moni tor network traffic and observes additional su spicious activity. Equifax takes the ACIS application offline. 12  Graeme Payne, Senior Vice President and Chief Information Officer for Global Corporate Platforms, informs David Webb, Chief Information Officer , of the security incident. 13 8 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Com m. on Science, Space , & Tech. Staff (Aug. 17, 2018). 9 Mandiant, Mandiant Report 1, 2 (2017) (on file with Committee). 10 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space , & Tech. Staff (Aug. 17, 2018). 11 Id. See al so Press Release, Equifax, Equifax Rel eases Details on Cybersecurity I ncident, Announces Pers onnel Changes (Sept. 15, 2017), https://investor.equifax.com/news -and -events/ news/2017/09 -15 -2017 -224018832. 12 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space , & Tech. Staff (Aug. 17, 2018). 13 Email from Graeme Payne, Senior Vice President, Equifax, to David Webb, Chief Info. Officer, Equifax (July 30, 2017, 7:16:00 PM) ( on file with Committee, EFXCONG -SSTOGR000043861). 10 July 31, 2017  Equifax staff determines personally identifiable information (PII) may have been exfiltrated as a part of the intrusion. 14  David Webb informs Chief Executive Officer Richard Smith of the security incident. 15 August 2, 2017  Equifax engag es law firm King a nd Spalding and hires cybersecurity firm Mandiant to conduct a forensic review of the breach. 16 Equifax also informs the Federal Bureau of Investigation. 17 August 11, 2017  Mandiant determines hackers may have accessed a database table containing l arge amounts of consumers’ PI I.18 August 17, 2017  Equifax holds a senior leadership t eam meeting to discuss Mandiant’s preliminary findings from the data breach investigation .19 August 24, 2017  Mandiant confirms volume of PII accessed and begins to develop an approach with Equifax database owners to determine th e identity of affect ed consumers. 20 14 Email from Corporate Security Support, Equifax, to Joe Sanders, Senior Director for Security, GTVM, Equifax (July 31, 2017, 12:00:03 AM) (on file with Committee, EFXCONG -SSTOGR000000077 -EFXCONG - SSTOGR0000 00081) . 15 David Webb Transcribed Interview 32 -22, May 30, 2018 (on file with Committee) [hereinafter Webb Transcribed Interview] . 16 Mandiant, Mandiant Report 1 (2017) (on file with Committee). See also Oversight of the Equifax Data Breach: Answers for Cons umers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. Of the H. Comm. on Energy & Commerce , 115 th Cong. (2017) (pr epared written statement of Richard Smith, Former Chief Exec. Officer, Equifax). 17 Oversight of the Equifax Data Breach: Ans wers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. Of the H. Comm. on Energy & Commerce , 115 th Cong. (2017) (pr epared written statement of Richard Smith, Former Chief Exec. Officer, Equifax). 18 Id. See also Briefing by Man diant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 19 Susan Mauldin Transcribed Interview 118, June 20, 2018 (on file with Committee) [hereinafter Mauldin Transcribed Interview] . 20 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space , & Tech. Staff (Aug. 17, 2018). 11 August 24 -25, 2017  CEO Richard Smith holds telephonic meetings with Equifax Board of Director s and informs the full Board of the breach. 21 September 4, 2017  Based on Mandiant’s investigation, Equifax compiles a list of 143 million U.S. consumers whose personal information may have been compromised. 22 September 7, 2017  Equifax notifies the public of the breach . Equifax states the information acces sed by attackers included names, Social S ecurity number s, dates of birth , addresses, driver’s license numbers, credit card numbers, and dispute documents. 23 September 14, 2017  The House Committee on Oversight and Government Reform and the House Committee on Science, Space , and Technology launch an investigation into the Equifax data breach. 24 September 15, 2017  Equifax C IO David Webb and C SO Susan Mauldin announce their retirement s.25 September 26, 2017  Equifax CEO Richard Smith announces his retirement .26 21 Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. Of the H. Comm. o n Energy & Commerce , 115 th Cong. (2017) (pr epared written statement of Richard Smith, Former Chief Exec. Officer, Equifax). 22 Id. 23 Press Release, Equifax, Equifax Announces Cybersecurity Incident Involving Consum er Information (Sept. 7, 2017), https://inv estor.equifax.com/news -and -events/news/2017/09 -07 -2017 -213000628. 24 Letter from Rep. Trey Gowdy, Chairman, H. Comm. on Oversight & Gov’t Reform, Rep. Lamar Smith, Chairman, H. Comm. on Science, Space & Tech., to Richard Smith, Chairman & Chief Exec. Office r, Equifax (Sept. 14, 2017) (on file with Committee). 25 Press Release, Equifax, Equifax Releases Details on Cybersecurity Incident, Announces Pers onnel Changes (Sept. 15, 2017), https://investor.equifax.com/news -and -events/news/2017/09 -15 -2017 -224018832. 26 Press Release, Equifax, Equifax Chairman, CEO, Richard Smith Retires; Board of Directors Appoints Current Board Member Mark Feidler Chairman; Paulino do Rego Barros, Jr. Appointed Interim CEO; Company to Initia te CEO Search (Sept. 26, 2017), https://inves tor.equifax.com/news -and -events/news/2017/09 -26 -2017 -140531280. 12 October 2, 2017  Mandiant completes its fore nsic investigation , con cluding the potential number of victims was 2.5 million more than originally reported. 27  Equifax terminates Gr aeme Payne for failing to forward the March 9 GTVM email alert regarding the patch for the Apache Struts vulnerability. 28 October 3, 2017  Richard Smith testifies before the Subcomm ittee on Digital Commerce and Consumer Protection of the House Committee on Energy and Commerce .29 March 1, 2018  Equifax rel eases updated information on the 2017 breach, indicating the attackers accessed information including names and partial driver’s license information of an additional 2.4 million U.S. consumers .30 27 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 28 Graeme Payne Transcribed Interview 147 -148, Aug. 10, 2018 (on file with Committee) [hereinafter Payne Transcribed Interview] . 29 Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Dig ital Commerce & Consumer Prot. o f the H. Comm. on Energy & Commerce , 115 th Cong. (2017) . 30 Equi fax Releases Updated Information on 2017 Cybersecurity Incident , EQUIFAX (Mar. 1, 2018), https://www.equifaxsecurity2017.com/2018/03/01/equifax -releases -updated -information -2017 -cybersecurity - incident/ . 13 I. The Consumer Reporting Agency Business Model and Use of Personally Identifiable Information A. Consumer Reporting Agency Business M odel Consumer reporting agencies gather consumer information, analyze it to create credit scores and detailed reports, and then sell the consumer reports to third parties (see Figure 1) .31 The consumer reporting agency (CRA) business model allows CRAs to compile and profit off the sensi tive data of American consumers .32 The three national CRAs are Eq uifax, Experian, and TransUnion, and t here are approximately 400 regional and specialty CRAs which focus on collecting information within a specific industry , such as information related to payday loans, checking accounts, or utilities. 33 Individual consumers do not voluntarily provide data to CRAs. Rather, CRAs actively gather consumers’ personal information from furnishers .34 This information may include historical data about credit repayment, tenant payment, employment, insurance claims, arrests, bankruptcies, check writing , and account management .35 CRAs package, analyze, and sell this information to businesses .36 An individual does not have the opportunit y to “opt out” of this process. Businesses use consumer data provided by CRAs to identify and manage financial and transactional risks .37 For example, lenders rely on credit reports and scores when determining whet her to grant a loan and the corresponding interest rate. Insurance companies use the information to set policy premiums. Employers may use the information to screen prospective employees for risk of fraud. Utility and telecommunication service providers us e the reports to verify the identity of customers and determine down payment requirements for new customers. Federal agencies use identit y verification services provided by one or more of the CRAs when enrolling new applicants for federal benefits and se rvices. 38 The Internal Revenue Service 31 Fair Credit Reporting Act, Pub. L. No. 91 -508, Titl e VI, § 604, 84 Stat. 1128 (1970) (amending The Consumer Credit Protection Act) (codified as amended at 15 U.S.C. §§ 1681 -1681x ). 32 Consumer reporting agencies are also referred to as “credit reporting agencies.” 33 U.S. GOV ’T ACCOUNTABILITY OFFICE , GAO -18 -559, DATA PROTECTION ACTIONS TAKEN BY EQUIFAX AND FEDERAL AGENCIES IN RESPONSE TO THE 2017 BREACH 1, 18 (2018) [hereinafter GAO Equifax Data Breach Report ]; see also N. ERIC WEISS , CONG . RESEARCH SERV ., IN10792, THE EQUIFAX DATA BREACH : AN OVERVIEW AND ISSUES FOR CONGRESS (2018 ), http://www.crs.gov/Reports/IN10792?source=search&guid=9873256117c148fbbe29d0ca59633c20&index=3 [hereinafter CRS Equifax Data Breach Overview ]. 34 A furnisher is a company who provides consume r information to CRAs. Examples of furnishers include banks, thrifts, credit unions, savings and loan institutions, mortgage lenders, credit card issuers, collection agencies, retail installment lenders, and auto finance lenders. See Duties of Furnishers of Information to Consumer Reporting Agencies, 16 C.F.R. § 660.2 (2009). 35 DARRYL GETTER , CONG . RESEARCH SERV ., R44125, CONSUMER AND CREDIT REPORTING , SCORING , AND RELATED POLICY ISSUES 2 ( 2018 ), http://www.crs.gov/reports/pdf/R44125 [hereinafter CRS Consumer and Credit Reporting Issues ]. 36 CRS Consumer and Credit Reporting Issues at 2. 37 Id. at 1. 38 GAO Equifax Data Breach Report at 13. 14 (IRS ), for example, awarded Equ ifax a $7.25 million contract for taxpayer identity verification and validation services after the 2017 data breach h ad been publicly announced .39 Figure 1: How Equifax Receives Your Personal Information 40 Each CRA has its own model for evaluating the information in an individual’s credit report and assigning a credit score. A credit score is a numeric metric used to predict a variety of financial behaviors. 41 Credit score models measure the following factors in determining a credit score: (1) payment history; (2) credit utilization; (3) length of credit history; (4) new credit accounts or requests; and (5) credit mix. 42 The CRAs analyze this information and create a n individual’s credit score. 43 CRAs tend to collect the same information but may choose to weigh 39 Alfred Ng, Why Equifax Won An IRS Contract Despite A Massive H ack , CN ET (Oct. 3, 2017), https://www.cnet.com/news/irs -gives -equifax -7-25 -million -contract -to-prevent -tax -fraud/ . Security concerns eventually led the IRS to cancel the contract. See John McCrank, IRS Puts Equifax Contract on Hold During Security R eview , REUTERS (Oct. 13, 2017), https://www.reuters.com/article/us -equifax -cyber/irs -puts - equifax -contract -on -hold -during -security -review -idUSKBN1CI2G9 . 40 AnnaMaria Andriotis et al., ‘We’ve Been Breached’: Inside the Equifax Hack , WALL STREET JOURNAL (Sept. 18, 2017), https://www.wsj.com /articles/weve -been -breached -inside -the -equifax -hack -1505693318 . 41 CRS Consumer and Credit Reporting Issues at 4. 42 Id. at 6. 43 Id. Borrowers may never directly interact with a credit -reporting company. They deal directly with a lender, who in turn uses data from the companies. 15 or val ue certain items differently. As a result, an individual’s credit score may vary between Equifax, Experian, and TransUnion .44 Consumer reporting agencies sell these credit scores , and the corresponding detailed consumer report , to a variety of businesses for specific purposes . F or example, when a custo mer applies for a loan, a CRA can sell the customer’s credit score and detailed report to the potential lender. The potential lender can use the information contained about the customer within the CRA’s report to decide whether to loan the money or not; what interest rate to apply; and if a down payment sh ould be required. 45 The n ature of the CRA business model giv es Equifax a deep and granular view of consumers ’ lives . Combining information from numerous data sources allows Equifax to likely know a person’s immigra tion status, income, wealth, assets, bank balances, current and past addresses, employer, rental histo ry, utility bills, and spending habits. 46 Due to the intrusive amount of data held by CRAs, these companies have an obligation to have best -in-class data protection and cybersecurity practices and to ols in place. Equifax, however, did not have these best -in-class protections in place. B. Equifax – Aggressive Growth and Increasing Risk in Data Intrusive Industry At the beginning of his tenure as Equifax CEO , Richard Smith embarked on an ambitious growth strategy. When the 2017 data breach occurred, Equi fax had credit information on 820 million consumers and 91 million businesses. This massive amount of sensitive information made Equifax a prime target for hackers, and Equifax was unprepared for these security risks. 1. Equifax Corporate Profile Equifax w as founded in 1899 in Atlanta, Georgia, and became a public company in 1965. 47 The company has 10,300 employees worldwide and operates in 24 countries with in North America, Central and South America, Europe, and the Asia Pacific region. 48 Equifax maintains c redit information on 820 million consumers and more than 91 million businesses .49 It 44 CRS Consumer and Credit Reporting Issues at 6. See also How Do Credit Reporting Agencies Get Their Information , EQUIFAX (July 2, 2014), https://blog.equifax.com/credit/how -do -credit -reporting -agencies -get -their - information/ . 45 CRS Consumer and Credit Reporting Issues at 5 -6. 46 Russel Grantham, Equifax’s Rapid Growth Probably Added To Its Hacking Risk, Experts S ay, THE ATLANTA JOURNAL CONSTITUTION , (Sept. 21, 2017) , https://www.myajc.com/business/equifax -rapid -growth -probably -added - its-hacking -risk -experts -say/lq8jU65GAOy45UgC4RodfK/ . 47 Equifax , 2017 Annual Report (Form 10 -K) (Mar. 1, 2018), https://investor.equifax.com/~/media/Files/E/Equifax - IR/Annual%20Reports/2017 -annual -report.pdf . 48 Id. 49 Press Release, Equifax, Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes (Sept.

15, 2017), https://investor.equifax.com/news -and -events/news/2017/09 -15 -2017 -224018832 . 16 is a member of Standard & Poor ’s (S&P) 500® Index, and its common stock is traded on the New York Stock Exchange under the symbol EFX. 50 On October 26, 2018, Equifax had a market value of $11.7 2 billi on dollars .51 For comparison, Equifax’s market value was $17.02 billion the day before Equifax publicly announced the 2017 data breach (see Figure 2) .52 Equifax reported $3.362 billion revenue in 2017 .53 Even with the public criticism following the data breach announcement on September 7, 2017 , the company’s reported 2017 revenue increased 7 percent from 2016. 54 Figure 2: Equifax’ s Share Price (August 2017 - September 2018) 55 Prior to the company’ s third quarter earnings report , Equifax’s stock had nearly returned to its pre -breach announcement price – reaching $138.06 in mid -September 2018 .56 Equifax issued its third quarter earnings report on October 24, 2018. 57 The report shows Equifax mis sed both its quarterly earnings and revenue estimates with costs relat ing to the data breach continu ing to increase . Equifax’ s stock price fell more than 17 percent and closed out the week at $97.19. 58 50 Company Profile , EQUIFAX , https://www.equifax.com/about -equifax/company -profile/ (last visited Oct. 19, 2018). 51 Equifax Inc. Market Cap , YC HARTS , https://ycharts.com/companies /EFX/market_cap (last visited Oct. 27, 2018). 52 Id. 53 Press Release, Equifax, Equifax Releases Fourth Quarter Results (Mar. 1, 2018), https://investor.equifax.com/news -and -events/news/2018/03 -01 -2018 -213648628 . 54 Id. 55 Ivan Levingston & Jennifer Surane, Equifax Breach a Year Later: Record Profits, Share Revival , BLOOMBERG (Sept. 7, 2018), https://www.bloomberg.com/news/articles/2018 -09 -07/equifax -breach -a-year -later -record -profits - share -price -revival . 56 Id. 57 Press Release, Equifax, Equifax Releases Thir d Quarter 2018 Results (Oct. 24, 2018), https://investor.equifax.com/news -and -events/news/2018/10 -24 -2018 -212657646 . 58 Equifax Inc. (EFX) Quote , YC HARTS , https://ycharts.com/companies/EFX (last visited Oct. 27, 2018). 17 2. CEO Richard Smith’s Growth Strategy Richard Smith was hired as Equifax’s CEO in December 2005 and quickly embarked on an ambitious growth strategy. In 2007 , Equifax purchased TALX Corporation, an American human resources and payroll services company with 142 million employment records, for $ 1.4 billion. 59 In 2014, Equifax acquired TDX Group , a United Kingdom -based debt management firm, for $327 million. 60 In 2016, the company purchased Australia’s leading credit firm Veda Group for $1.9 billio n.61 In total, Equifax has acquired eighteen compan ies .62 The acquisitions made Equifax one of the largest private credit -tracki ng firm s in the world .63 During his tenure as CEO, Smith’s growth -by -acquisition strategy resulted in Equifax’s market value more than quadrupling from approximately $38 per share in December 2005 to $138 per share in early September 2017 .64 In an August 17, 2017 speech at the University of Georgia, Smith ex plained Equifax’s business strategy . He stated: What do we do? We manage massive amounts of very unique data. In fact, we hav e data on approaching one billion people. We have data on approaching 100 million companies around the world. The data assets are so large , so unique it is . . . credit data, it is financial data – we have something like $20 trillion of wealth data on indi viduals, so how many annuities, mutual funds, equities you own. About $20 trillion on property data, so property that you might own – what the value was when you bought it, what it’s worth today. Utility data, marketing data, I could go on and on and on – but massive amounts of data. 59 Press Release, TALX, Equifax Announ ces Agreement to Acquire TALX Corporation in a Transaction Valued at $1.4 Billion (Feb. 14, 2007), http://investor.talx.com/phoenix.zhtml?c=74399&p=irol -newsArticle&ID=963591 . 60 Equifax Acquires TDX Group , YAHOO FINANCE (Jan. 20, 2014), https://finance.ya hoo.com/news/equifax - acquires -tdx -group -165004763.html . 61 Veda Group held the credit information of approximately 20 million people and 5.7 million organizations in Australia and New Zealand. Zach’s Equity Research, Equifax Signs Binding Agreement to Buy Veda Group , NASDAQ (Nov. 24, 2015), https://www.nasdaq.com/article/equifax -efx -signs -binding -agreement -to-buy -veda -group - cm546765 ; see also Equifax Completes Acquisition of Australia’s Leading Credit Information Company, Veda Group Limited, for Total Cons ideration of USD $1.9 Billion , PRN NEWSWIRE (Feb. 25, 2016), https://www.prnewswire.com/news -releases/equifax -completes -acquisition -of-australias -leading -credit -information - company -veda -group -limited -for -total -consideration -of-usd19 -billion -300226572.html . 62 Equifax Acquisitions , CRUNCHBASE , https://www.crunchbase.com/search/acquisitions/field/organizations/num _acquisitions/equifax?timeline=true&timelineType=all (last visited Oct. 19, 2018). 63 Press Release, Equifax, Equifax Releases Fourth Quarter Resul ts (Mar. 1, 2018), https://investor.equifax.com/news -and -events/news/2018/03 -01 -2018 -213648628 ; see also Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. Of the H. Comm. on Energy & Commerce , 115 th Cong. (2017) (pr epared written statement of Richard Smith, Former Chief Exec. Officer, Equifax). 64 Equifax Inc. Market Cap , YC HARTS , https://ycharts.com/companies/EFX/market_cap (last visited Oct. 27, 2018). See also AnnaMaria Andriotis & Michael Rapoport, Equifax Hack Upends CEO’s Drive to Be a Data Powerhouse , THE WALL STREET JOURNAL (Sept. 22, 2017) , https://www.wsj.com/articles/equifax -hack -upends -ceos -drive -to-be- data -powerhouse -1506085201 . 18 In fact . . . if you think about the largest library in th e world . . . the Library of Congress . . . we manage almost 1,200 time s that amount of data every day .65 3. “Massive Amounts” of Data Equals Massive Security Risks Having so much personal information in one place made Equi fax a prime target for hackers . Consumer reporting agencies have been the target of multiple cyber attacks in recen t years. For example, two large data theft incidents occurred at Experia n, one of th e three major CRAs. In 2013, a man running an identity theft ring tricked an Experian subsidiary – purchased in 2012 – into giving him direct access to personal and financial data on more than 200 million consumers .66 The man continued siphoning consumer da ta for close to t en months after the acquisition without Experian’s knowledge. 67 In 2015, Experian disclosed a breach of its computer systems where intruders stole approximately 15 million Social Security numbers and other data on people who applied for financing from wireless provider T -Mobile. 68 Experian said the compromise of an internal server exposed names, dates of birth, addresses, Social Security numbers and/or driver’s license numbers. 69 Equifax was unprepared for these risks. An August 2016 report by the financial index provider MSCI Inc. assigned Equifax ’s data security efforts a rating of zero out of ten. 70 The provider’s April 2017 rating remained unchanged. Both report s concluded: Equifax’s data security and privacy measures have proved insufficient in mitigating data breach events. The company’s credit reporting business faces a high risk of data theft and associ ated reputational c onsequences . . . . The company’s data and privacy policies are limited in scope and Equifax shows no evidence of data breach plans or regular audits of its information security policies and systems. 71 65 Richard Smith, Chief Exec. Officer, Equi fax, Address to the Terry College of Business at the University of Georgia (Aug. 17, 2017), https://www.youtube.com/watch?v=lZzqUnQg -Us . 66 Brian Krebs, Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records , KREBS ON SECURITY (Mar. 10, 2014), https://krebsonsecurity.com/2014/03/experian -lapse -allowed -id-theft -service -to-access - 200 -million -consumer -records/ . 67 Id. 68 Brian Krebs, Experian Breach Affects 15 Million Customers , KREBS ON SECURITY (Oct. 15, 2015), https://krebsonsec urity.com/2015/10/experian -breach -affects -15 -million -consumers/ . 69 Id. 70 See Equifax Cyber Security Scandal , MSCI, https://www.msci.com/equifax (“In August 2016, MSCI ESG Ratings identified, and called attention to Equifax Inc.’s poor data security and pr ivacy measures, which led to its downgrade to ‘CCC’ – our lowest possible rating.”) (last visited Oct. 29, 2018). 71 MSCI, EQUIFAX INC . (last rating date Apr. 7, 2017), https://www.msci.com/documents/1296102/6174917/EQUIFAX+INC+ESG+Ratings+Report+Tearsheet.pdf/43d4f9 4f-f831 -45fb -90c1 -07c94021af62 . 19 4. Key Equifax Officials Responsible for IT and Security The two individuals leading Equifax’s IT and cybersecurity opera tions at the time of the breach were CIO David Webb and CSO Susan Mauldin . Graeme Payn e, Senior Vice President and CIO for Global Corporate P latforms at the time of the breach , also played an important role. The Committee conducted transcribed interviews with these three individuals during the year - long investigation into Equifax’s 2017 data beach. David Webb first started working in the technology fi eld in 1977. 72 In 2010, Equifax hired Webb for the role of CIO where we was responsible for the company’s global IT infrastructure .73 Susan Mauldin began her work in the technology field as a software engineer for Hewlett Packard in 1983. 74 After holding IT a nd security positions at other companies, Mauldin was hired as Equifax’s CSO in August 2013 where she was responsible for cybersecurity and business resiliency. 75 Graeme Payne held a variety of IT and technology roles at private sector firms before joining Equifax in 2011 as the Vice P resid ent of IT Risk and Compliance .76 In July 2014 , Equifax promoted Payne to the position of Senior Vice President and CIO for Global Corporate P latforms , where he reported directly to David Webb .77 In this role Payne was “responsible for supporting all the business systems the company used to run the business, financial, HR, legal, marketing, sales, anything that was sort of nonrevenue producing across the company.” 78 An internal restructuring within the Equifax IT org anization occurred in April 2016 and Payne assumed responsibility for access management, IT -audit coordination, and IT -Security coordination. 79 72 Webb Transcribed Interview at 8 . 73 Id. at 9, 42 . 74 Mauldin Transcribed Interview at 9. 75 Id. at 9, 13 -14. 76 Payne Transcrib ed Interview at 9 -10 . 77 Id. at 10. 78 Id. 79 Id. at 43 -44. 20 II. Regulat ions for Consumer Reporting Agencies Consumer reporting a gencies are subject to a variety of federal laws designed to protect consumer information. Similar to other private sector entities, CRAs must notify consumers when information is compromised by a security incident . There is no comprehensive federal law mandating an organization’s responsibility to notify affected individuals in the event of a data breach. 80 Instead, a n entity l ike Equifax must comply with unique breach notification laws in fifty different states. The following discussion highlights existing regula tory and enforcement tools , including breach disclosure and notification requirements, applicable to CRAs like Equifax. A. FTC and CFPB Authority over Consumer Reporting Agencie s The Federal Trade Commission (FTC) and the Consumer Financial Protection B ureau (CFPB) both have enforcement authority over CRAs. 81 The Fair Credit Reporting Act (FCRA) and the Gramm -Leach -Bliley Act (GLBA) are the two principal federal laws regulating CRAs. The FTC generally has the authority, with certain exceptions, to investi gate and bring enforcement actions against any organizat ion for violations of laws govern ing consumer information. 82 In 2010, the Dodd -Frank Act gave CFPB enforcement authority over CRAs for violations of most of the provisions contained in the FCRA, certain provisions of the GLBA, and for unfair, deceptive, or abusive acts or practices under the Dodd -Frank Act. 83 1. Federal Trade Commission Act The FTC pursues data security violations using its authority under Section 5 of the Federal Trade Commission Act, which prohibi ts “unfair or deceptive . . . practices in or affecting commerce.” 84 Since 2002, the FTC has brought over 60 cases against companies for engaging in unfair or deceptive practices by failing to adequately protect consumers’ personal data. 85 The FTC’s principal tool is to bring an enforcement action against a company for unlawful behavior, and require the c ompany take affirmative steps to remed iate this behavior. Affirmative steps may include the implementation of a comprehensive data security program or monetary redress to consumers. 86 80 GAO Equifax Data Breach Report at 18, note 30. 81 Consumer Financial Protection Bureau (CFPB) is also known as the Bureau of Consumer Financial Protection (BCFP). Acting Director Mick Mulvaney began referring to the agency as BCFP in April 2018, consistent with the Dodd -Frank Act. This report uses the acronym CFPB because it is better known by the public. 82 15 U.S.C. § 45(a)(2) (2012). Certain entities, such as banks, credit unions, common carriers, and non -profit organizations, are excluded from FTC’s authority under the Federal Trade Commission Act. 83 CONSUMER FIN. PROT . BUREAU , CFPB SUPERVISION AND EXAMINATION PROCESS 3 (2018), https:// www. consumerfinance.gov/f/documents/cfpb_supervision -and -examination -manual.pdf. 84 15 U.S.C. § 45 (a) (2012). 85 FED . TRADE COMM ’N, PRIVACY AND DATA SECURITY UPDATE : JANUARY 2017 – DECEMBER 2017 4 (2018), https://www.ftc.gov/system/files/documents/reports/privac y-data -security -update -2017 -overview -commissions - enforcement -policy -initiatives -consumer/privacy_and_data_security_update_2017.pdf . 86 Id. at 1. 21 The FTC can seek civil monetary penalties for the violation of an FTC o rder, the FCRA, and other privacy statutes. 87 The Commission may initiate civil actions in federal district court for violations of the Federal Trade Commission Act. 88 Federal courts have upheld FTC authority to regulate data security practices after a viola tion of Section 5 of the Federal Trade Commission Act has occurred. 89 The FTC does not , however, have specific authority to examine a CRA ’s data security practices for ongoing compliance with the Federal Trade Commission Act .90 2. Dodd -Frank Act The 2010 Dodd -Frank Act established the C onsumer Financial Protection Bureau (CFPB) .91 The Dodd -Frank Act gave CFPB the responsibility to implement and enforce federal consumer financial law. 92 The CFPB’s authorities fall into three broad categories: (1) supervisory , which includes the power to examine and impose reporting requirements on financial institutions; (2) enforcement of various consumer protection laws and regulations , including certain provisions in FCRA and GLBA ; and (3) rulemaking. 93 Within its rulemakin g authority, t he CFPB acquired the power to issue rules declaring certain acts or practices to be unlawful because they are unfair, deceptive, or abusive. 94 The Dodd -Frank Act gave the CFPB supervisory authority over non -bank entities including “larger participants of markets for other consumer financial products or services, ” such as CRAs with over $7 million in annual receipts from consumer reporting activities. 95 The CFPB supervisory authority includes requiring reports and conduct ing examinations for purposes of: (1) a ssessing compliance with the requirements of federal consumer financial law ; (2) o btaining information about activities and compliance syste ms or procedures ; and (3) detecting and assessing risks to consumers and to m arkets for consumer financial products and services. 96 The CFPB monitors some of the larger CRAs on an ongoing basis. This oversight tends to focus on compliance with FCRA requirements on the accuracy of consumer information, rather than data security .97 The Dodd -Frank Act granted the CFPB enforcement authority to bring actions against financial institutions for unfair, deceptive, or abusive acts or practices. 98 In March 2016, the CFPB announced its first data security enforcement action against a company fo r making 87 Id. 88 15 U.S.C. § 57(b); 15 U.S.C. § 45(b). 89 See, e.g., FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D .N.J. 2014), aff’d , 799 F.3d 236 (3d Cir. 2015). 90 Id. 91 Dodd -Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111 -203, Title X, 124 Stat. 1376 (2010). 92 Dodd -Frank Act § 1002(14). 93 CONSUMER FIN. PROT . BUREAU , CFPB SUPERVI SION AND EXAMINATION PROCESS at 3. 94 Dodd -Frank Act § 1031(a), § 1036. 95 Defining Larger Participants of Consumer Reporting Market, 77 Fed. Reg. 42873 (July 20, 2012). 96 12 U.S.C. § 5514(b)(1) (2012). 97 CONSUMER FIN. PROT . BUREAU , CFPB SUPERVISION AN D EXAMINATION PROCESS at 774 . 98 Id. at 3; Dodd -Frank Act § 1031(a), § 1036. 22 allegedly deceptive statements regarding its data security practices. 99 The CFPB has taken past enforcement actions against CRAs for deceptive practices , but none of these enforcement actions were related to data security .100 3. Fair Credit Reporting Act Congress enacted the Fair Credit Reporting Act (FCRA ) in 1970 to promote the accuracy and privacy of information in consumer files kept by CRAs .101 FCRA imposes certain responsibilities upon entities, including CRAs, who compile sensitive consumer infor mation in credit reports. 102 For example, FCRA requires CRAs to “adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with rega rd to the confidentiality, accuracy, relevancy, and proper utilization of such information.” 103 Two federal agenci es are charged with enforcing F CRA requirements. First, FCRA grants FTC the authority to enforce compliance with FCRA requirements. 104 The FTC h as brought over 100 actions against companies for violating FCRA, and collected over $30 million in civil penalties. 105 Second, the Dodd -Frank Act grants the CFPB the authority to enforce FCRA. 106 The FTC and the CFPB coordinate the ir enforcement efforts with a Memorandum of Understanding between the agencies. 107 The Memorandum requires one agency to notify the other prior to opening an investigation or commencing a legal proceeding for a violation of FCRA. 108 Under FCRA, CRAs must maintain procedures through whi ch consumers can dispute and correct inaccurate or incomplete information in their consumer reports. 109 To comply with this requirement, Equifax provides three avenues for a consumer to dispute information contained on an Equifax credit report: (1) telephonic dispute; (2) written and mailed dispute; and (3) online 99 Press Release, Consumer Fin. Prot. Bureau, CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices (Mar. 2, 2016), https://www.consumerfinance.gov/about -us/n ewsroom/cfpb -takes -action -against - dwolla -for -misrepresenting -data -security -practices/ . 100 See, e.g., Experian Holdings, Inc., 2017 -CFPB -0012 (Mar. 23, 2017) (enforcement action for deceiving consumers about the use of credit scores sold to consumers); Equifax Inc., 2017 -CFPB -0001 (Jan. 3, 2017) & TransUnion Interactive, Inc., 2017 -CFPB -0002 (Jan. 3, 2017 ) (enforcement actions for deceiving consumers about the usefulness and actual cost of credit scores sold to consumers, and for luring consumers into costly recurring payments for credit products). 101 See 15 U.S.C. § 1681(a) (2012). 102 Id. 103 15 U.S.C. § 1681 (b) (2012). 104 15 U.S.C. § 1681s(a) (2012). 105 FED . TRADE COMM ’N, PRIVACY AND DATA SECURITY UPDATE : JANUARY 2017 – DECEMBER 2017 at 5. 106 Dodd -Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111 -203, 124 Stat. 1376 (2010). 107 MEMORANDUM OF UNDERSTANDING BETWEEN THE CONSUMER FINANCIAL PROTECTION BUREAU AND THE FEDERAL TRADE COMMISSION 3-7 (2012), https://www.ftc.gov/system/files/120123ftc -cfpb -mou.pdf ; Press Release, Fed. Trade Comm’n, FTC, CFPB Reauthorize Memorandum of Understanding (Mar. 1 2, 2015), https://www.ftc.gov/news -events/press -releases/2015/03/ftc -cfpb -reauthorize -memorandum -understanding . 108 MEMORANDUM OF UNDERSTANDING BETWEEN THE CONSUMER FINANCIAL PROTECTION BUREAU AND THE FEDERAL TRADE COMMISSION at 3-7. 109 15 U.S.C. § 1681i(a) -(d)(1) (2012). 23 disputes received through an internet portal on Equifax’s website. 110 Equifax built the Automated Credit Investigation System (ACIS) in the 1970s to handle consumer disputes. 111 When Equifax receives a dispute, it locates the consumer’s credit file and opens an ACIS case to track the investigation proce ss. Consumers may submit copies of documents relevant to their credit dispute via the ACIS web portal. 4. Gramm -Leach -Bliley Act The Gramm -Leach -Bliley Act (GLBA) requires the FTC to establish standards and protections to ensure the security and confidentia lity of customer information. 112 Specifically, Section 501(b) of GLBA requires the FTC to “establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards — (1) to insu re the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access or use of such records or inform ation which could result in substantial harm or inconvenience to any custome r.” 113 As part of its implementation of GLBA , the FTC issued the “Safeguards Rule ” in 2003. 114 This rule requires CRAs to develop, implement, and maintain a comprehensive informatio n security program to keep customer information secure and confidential. 115 The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. 116 Under this rul e, each CRA must: 1. Designate one or more employees to coordinate its information security program; 2. Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safegua rds for controlling these risks; 3. Design and implement a safeguards program, and regularly monitor and test it; 4. Select service providers that can mainta in appropriate safeguards, en sure contract s require them to maintain safeguards, and oversee their handli ng of customer information; and 110 See Stewart v. Equifax Info. Serv., No. 16 -2781, at 5 (D. Kan. Mar. 2, 2018) (order granting summary judgment). 111 Payne Transcribed Interview at 19 -20. 112 Gramm -Leach -Bliley Act, Pub. L. No. 106 -102, Title V, § 501(b), 113 Stat. 1338, 1436 (1999) (codified as amended at 15 U.S.C. § 6801(b)). 113 Id. 114 16 C.F.R. §§ 314.1 -5 (2002 ). 115 16 C.F.R . § 314.3 (2002 ). 116 The Fair Credit Reporting Act, Credit Bureaus, and Data Security: Hearing Before the S. Comm. on Banking, Housing , & Urban Affairs , 115th Cong. (2018) (prepared written statement of the Federal Trade Commission). 24 5. Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring. 117 A year after the FTC enacted the Safeguards Rule , it conducted a nationwide compliance sweep to ensure companies were observing the se requirements .118 The FTC took enforcement action against companies not in compliance with the Safeguards Rule for failing to protect customer’s personal information. 119 The CFPB does not have authority over the Safeguards Rule. Under GLBA, financial institutions must comply with the “Privacy Rule.” 120 The Privacy Rule requires regulated companies to provide notices to consumers explaining their privacy policies and practic es. The CFPB is responsible for implementing and enforcing the Privacy Rule. *** In September 2017, both the FTC and CFPB publicly confirmed investigations into the Equifax data breach. 121 On October 25, 2018, Equifax provided an update on the ongoing FTC and CFPB investigations to the U.S. Securities and Exchange Commission (SEC). Equifax stated: On June 13, 2018, the CFPB and FTC provided us with notice that the staffs of the CFPB and FTC are considering recommending that their respective agencies take legal action against us, and that the agencies may seek injunctive relief against us, as well as damages and civil money penalties.

We submitted written responses to the CFPB and FTC addressing their expected allegations and we continue to cooperate with t he agencies in their investigations. 122 117 FED . TRADE COMM ’N, FINANCIAL INSTITUTIONS AND CUSTOMER INFORMATION : COMPLYING WITH THE SAFEGUARDS RULE (2006), https://www.ftc.gov/tips -advice/business -center/guidance/financial -institutions - customer -information -complying . 118 Press Release, Fed. Trade Comm’n, FTC Enforces Gramm -Leach -Bliley Act’s Safeguards Rule Against Mortgage Companies (Nov. 16, 2004), https://www.ftc.gov/news -events/press -releases/2004/11/ftc -enforces - gramm -leach -bliley -acts -safeguards -rule -against. 119 Id. 120 12 C.F.R. §§ 1016.1 -17 (2011). 121 David McLaughlin and Todd Shields, FTC Opens Investigation into Equifax Breach , BLOOMBERG (Sept. 14, 2017), https://www.bloomberg.com/news/articles/2017 -09 -14/equifax -scrutiny -widens -as-ftc -opens -investigation - into -breach ; Roger Yu & Kevin McCoy, Equifax Data Breach: Feds Start Investigation (Sept. 14, 2017), https://www.usatoday.com/story/mone y/2017/09/14/ftc -investigating -equifax -over -data -breach/665550001/ . 122 Equifax, Quarterly Report for the Period Ended September 30, 2018 (form 10 -Q) (Oct. 25, 2018), https://otp.tools.investis.com/clients/us/equifax/SEC/sec - show.aspx?Type=html&FilingId=1302 3015&CIK=0000033185&Index=10000 . 25 B. Breach Notification and Disclosure Requirements After a data breach occurs, private sector entities must comply with a myriad of regulations and laws regarding disclosure and notification requirements. For instance, Equifax officials repor ted they informed the FTC, SEC , state officials, and the Financial Services Information Sharing and Analysis Center (FS -ISAC) of the 2017 data breach. 123 While t here is no comprehensive federal data b reach notification law, a ll fifty states have enacted legislation requiring private entities to notify individuals about a security breach affecting their personal information .124 State data b reach notification laws generally include several components: 1. Which entities must comply with the law; 2. What personal information is p rotected, and how a breach is defined; 3. What degree of actual harm must occur, if any, for notice to be triggered; 4. How and when notice must be delivered; 5. If there are any exceptions or safe harbors; 6. Preemption of other state laws, and relation to other federal laws ; and 7. Penalties, enforcement authorities , and remedies for those harmed .125 One example of inconsistency between sta te breach notification laws is the notice requirement. Some states may require notice to be made “without reasonable delay,” while others require private entities to provide notice within 45 days after discovery of the breach. 126 An other aspect where state laws differ is the definition of personal information. 127 This means, based on the type of information stolen, a private entity may have to notify consumers in one state, but not consumers in another state even though the same type of consumer in formation was stolen. In addition to providing state officials notice of a breach, a private entity may be required to disclose cybersecurity risks and cyber incidents to investors. In October 2011, the SEC released non -binding guidance detailing the obli gations public companies have related to 123 GAO Equifax Data Breach Report at 25 -26 . 124 National Conference of State Legislatures, Security Breach Notification Laws (Sept. 29, 2018), http://www.ncsl.org/research/telecommunications -and -information -technology/security -breach -notification - laws.aspx. 125 N. ERIC WEISS & RENA S. MILLER , CONG . RESEARCH SERV ., R43496, THE TARGET AND OTHER FINANCIAL DATA BREACHES : FREQUENTLY ASKED QUESTIONS 23 (2015) , http://www.crs.gov/reports/pdf/R43496. 126 Id. 127 Id. 26 disclosing cybersecurity risks and cyber incidents. 128 According to the guidance, if cybersecurity risks or incidents are “sufficiently material to investors ,” a private company may be required to disclose the informa tion in registration statements, financial statements, and 8 -K forms. 129 Equifax did not disclose any cybersecurity risks or cybersecurity incidents in its SEC filings prior to the 2017 data breach. 130 Following the 2017 breach, Equifax included information related to the breach in subsequent 2017 and 2018 filings. 131 128 SEC . & EXCHANGE COMM ’N, CF DISCLOSURE GUIDANCE : TOPIC NO. 2 (CYBERSECURITY ) (Oct. 13, 2011), https://www.sec.gov/divisions/corpfin/guidance/cfguidance -topic2.htm . 129 Id. 130 See ge nerally SEC Filings , EQUIFAX , https://investor.equifax.com/financial -information/sec -filings (last visited Oct. 27, 2018). 131 Equifax, Current Report (form 8 -K) (Sept. 7, 2017) (explaining the cybersecurity incident), https://otp.tools.investis.com/clients/ us/equifax/SEC/sec - show.aspx?Type=html&FilingId=12271940&CIK=0000033185&Index=10000 . 27 III. Anatomy o f the Equifax Data Breach A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individual s. Equifax’s failure to patch a known critical vulnerability left its systems at risk for 145 days .132 The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data. T he attackers were able to exfiltrate this data becau se the digital certificate allowing Equifax to monitor encrypted network traffic flowing through the ACIS environment expire d 19 months prior to the discovery of the brea ch. This chapter details events leading to the 2017 data breach. A. Apache Struts Vulnerability Public ized , Equifax Attempts to Patch (Feb . – Mar . 2017) Apache Struts is an open -source web application framework . Specifically, Apache Struts is middleware – a software that runs between an operating system and an application, and allows the applica tion to successfully run on the operating system. 133 February 14, 2017 – The Apache Software Foundation received the first report of a vulnerability found in mult iple versions of Apache Struts .134 A security researcher discovered the vulnerability and reported the bug to Apache through its security mailing list. 135 March 7, 2017 – The Apache Struts Pr oject Management Committee (PMC) publicly disclosed the Apache Struts vu lnerability .136 The vulnerability related to how Apache Struts processed data sent to a server. 137 Attackers could use file uploads to trigger a remote code execution bug , which allowed the attacker to send malicious code or commands to a server. The National Vulnerability Database’s impact analysis indicated the complexity of an attack exploiting this vulnerability was low, and the potential for total loss of confidentiality, integrity, and availability of resources in a compromise d system was high (see Figure 3) .138 The National Vulnerability Database is a government repository for IT vulnerability management data. 139 132 Mandiant, Mandiant Report 1, 2 (2017) (on file with Committee). Equifax’s systems were vulnerable to attackers exploiting the Apache Struts vulnerability from March 8, 2017 (the date US -CERT alerted Equifax to the vulnerability) until July 30, 2017 (the date Equifax took the vulnerable ACIS application offline). 133 Middleware , TECHOPEDIA , https://www.techopedia.com/definition/450/middleware (last visited Oct. 16, 2018). 134 Response from The Apache Software Foundation to Questions from U.S. House Committee on Energy and Commerce Regarding Equifax Data Breach , APACHE SOFTWARE FOUNDATION (Oct. 3, 2017), https://blogs.apache.org/foundation/entry/responses -to-questions -from -us. 135 Id. 136 Id. The vulnerability was assigned the identifier CVE -2017 -5638. 137 National Vulnerability Database, CVE -2017 -5638 Detail , NIST. GOV (Mar. 10, 2017), https://nvd.nist.gov/vuln/detail/CVE -2017 -5638#vulnCurrentDescriptionTitle. 138 Id. 139 National Vulner ability Database, https://nvd.nist.gov/ (last visited Nov. 15, 2018). 28 CVE -2017 -5638 Impact Analysis Base Score: 10.0 CRITICAL Exploitability Score: 3.9 Impact Score: 6.0 Base Score = (Exploitability Score + Impact Score ) multiplied x 1.08 for the Scope Change (rounding to 10.0 if total exceeds 10) Exploitability score metrics Attack Vector: Network A “remotely exploitable” vulnerability via network attack is the easiest to exploit. Network attack vector is the most serious rating. Attack Complexity: Low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. Low attack complexity is the most serious rating because it is the easiest to conduct . Privileges Required: None Authorized access is not required to carry out an attack. No privileges required is the most serious rating. User Interaction: None The vulnerable system can be exploited without interaction from any user. No user interaction required is the most serious rating. Scope: Changed When attackers can use the vulnerability in a software component to affect software/hardware/network resourc es beyond its authorization privileges, a Scope change has occurred. Changed scope is the most serious rating. Impact score metrics ( high is the most serious rating ) Confidentiality: High There is a total loss of data confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Integrity: High There is a total loss of data integrity or a complete loss of protection. Availability: High There is a total loss of operational availability, resulting in the attacker being able to fully deny access to resources in the impacted component . Additional Information: Allows unauthorized disclosure of information Allows unauthorized modification Allows disruption of service Figure 3: National Vulnerability Database CVE -2017 -5638 Impact Analysis 140 Once t he Apache Struts vul nerability was widely reported, s ecurity researchers observed a high number of exploitation attempts almost immediately. 141 One firm observed hackers attempting simple commands (i.e., whoami) as well as more sophisticated commands. 142 On March 7, information about how to expose the Apache Struts flaw was posted to the Chinese 140 National Vulnerability Database, CVE -2017 -5638 Detail , NIST. GOV (Mar. 10, 2017), https://nvd.nist.gov/vuln/detail/CVE -2017 -5638#vulnCurrentDescriptionTitle. 141 Nick Biasini, Content -Type: Malicious – New Apache Struts 2 0 -Day Under Attack , TALOS (Mar. 8, 2017), https://blog.talosintelligence.com/2017/03/apache -0-day -exploited.html . 142 Id. 29 security website FreeBuf.com and Metasploit, a popular free suite of hacking tools. 143 The Apache St ruts PMC released a patch for this vulnerability on the same day. 144 March 8, 2017 – The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US -CERT) sent Equifax a notice of the need to patch the Apache Struts vulnerability. 145 Multiple people at Equifax received the US -CERT email, including the Global Threat and Vulnerability Management (GTVM) team and former CSO Susan Mauldin. 146 March 9, 2017 – Equifax disseminated the US -CERT notification via the GTVM listserv process. 147 Approximately 430 individuals and various distribution lists received this email. 148 The email instructed p ersonnel responsible for Apache Struts installations to upgrade to specific Apache Struts 2 versions. The GTVM email stated: “As exploits are available for this vuln erability and it is currently being exploited, it is rated at a critical risk and requires patching within 48 hours as per the security policy.” 149 Equifax Security performed an open source component scan to identify any systems with a vulnerable version o f Apache Struts. 150 The scan did not identify any components utilizing an affected version of Apache Struts. 151 Interim CSO Russ Ayres stated the scan missed identifying the vu lnerability because the scan was run on the root directory, not the subdirectory whe re the Apache Struts was listed. 152 March 10, 2017 – Mandiant , the firm hired by Equifax to complete a forensic investigation of the breach, found the first evidence of the Apache Struts vulnerability being exploited at Equifax (the “initial recon” step in Figure 4) . Attackers ran the “whoami” command to discover other 143 Michael Riley, Jordan Robertson, & Anita Sharpe, The Equifax Hack Has the Hallmarks of State -Sponsored Pros , BLOOMBERG (Sept. 29, 2017), https://www.bloomberg.com/news/features/2017 -09 -29/the -equifax -hack -has - all-the -hallmarks -of-state -sponsored -pros . See also Metasploit Framework: CVE -2017 -5638 – Apache Struts 2 S2 - 045 , GITHUB (Mar. 7, 2017 ), https://github.com/rapid7/metasploit -framework/issues/8064 . 144 Apache Struts 2 Security Bulletin S2 -045 , CONFLUENCE (last modified Mar. 19, 2017), https://cwiki.apache.org/confluence/display/WW/S2 -045 . 145 Email from U.S. Computer Emergency Readiness Team, to GTVM, Equifax (Mar. 8, 2017, 7:31:16 PM) (on file with Committee, EFXCONG -SSTOGR000000060). 146 Email from U.S. Computer Emergency Readiness Team, to Susan Mauldin, Chief Sec. Officer, Equifax (March 8, 2017, 7:31:16 PM) (on file with Committee, EFXCONG -SSTOGR000000672). 147 See infra Chapter 5, subsection B.1. Email from GTVM, Equifax, to GTVM Alerts, Equifax (Mar. 9, 2017, 9:31:48 AM) (on file with Committee, EFXCONG -SSTOGR000 000508 ). 148 GTVM, APACHE STRUT S 2 VULNERABILITY INCIDENT RESPONSE CHART (on file with Committee, EFXCONG - SSTOGR000068115 ; EFXCONG -SSTOGR000067381 ). 149 Email from GTVM, Equifax, to GTVM Alerts, Equifax (March 9, 2018, 9:31:48 AM) (on file with Committee, EFXCONG -SSTOGR000 000508). 150 Brie fing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space & Tech. Staff (Oct. 19, 2017). 151 Id. 152 Computers store data in a series of directories (folders). The main directory of a file sy stem is the root directory . All other folders within the file system are subdirectories of the root folder. This structure is what allows computer users to store separate documents (here, the “Users” folder would be one or two levels under the operating sy stem’s root directory, and within each User’s subfolder would be folders for “Documents” and “Pictures”). The directory structure keeps file systems hierarchically organized. See Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space & Tech. Staff (Oct. 19, 2017). 30 potentially vulnerable servers connected to the Equifax network. 153 However, Mandiant found no direct evidence the March 10 actions were connected to the activity that began on May 13. 154 March 1 4, 2017 – Equifax’s Emerging Threats team released a Snort signature rule , written to detect a specific vulnerability and perform an action, to detect Apache Struts exploitation attempts. 155 The Equifax Countermeasures team installed the Snort rule written to detect Apache Struts exploitation attempts on the intrusion detection and prevention systems on March 14. 156 March 15, 2017 – Equifax received a new signature rule to detect vulnerable versions of Apache Struts from McAfee on March 15. 157 The company used the McAfee Vulnerability Manager tool to scan its externally facing systems with this signature twice. 158 The scanner checked 958 external -facing Equifax IP addresses and did not find any instance where the vulnerability was present. 159 In short, both of the s canning tools used by Equifax during the patching process failed to identify the presence of vulnerable versions of Apache Struts. 160 March 16, 2017 – The Apache Struts vulnerability was discussed at a monthly meeting hosted by the GTVM team. 161 The GTVM meeting slides state d the vulnerability was currently being exploited, and reminded those responsible for Apache Struts installations to upgrade to versions 2.3.32 or 2.5.10.1. 162 The slides were emailed to all 430 individuals on the GTVM listserv after the meeting. 163 153 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 154 Id. 155 GTVM, APACHE STRUTS 2 VULNERABILITY INCIDENT RESPONSE CHART (on file with Comm ittee, EFXCONG - SSTOGR000068115); see also Understanding and Configuring Snort Rules , RAPID 7 BLOG (Dec. 9, 2016), https://blog.rapid7.com/2016/12/09/understanding -and -configuring -snort -rules/ . 156 GTVM, APACHE STRUTS 2 VULNERABILITY INCIDENT RESPONSE CHART (on file with Committee, EFXCONG - SSTOGR000068115); Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space & Tech. Staff ( Oct. 19, 2017). 157 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space & Tech. Staff (Oct. 19, 2017). 158 Id. 159 Email from Berlene Herren, Vice President Cyber Threat Resistance, Eq uifax, to Jamie Fike, Workforce Solutions, Equifax (Mar. 15, 2017, 1:56:38 PM) (on file with Committee, EFXCONG -SSTOGR000000510). 160 Witness testimony shows the scanning tools may have failed to detect the presence of the Apache Struts vulnerability due to the lack of visibility into Equifax’s complex legacy IT environments. See Payne Transcribed Interview at 15, 28. 161 GTVM, APACHE STRUTS 2 VULNERABILITY INCIDENT RESPONSE CHART (on file with Committee, EFXCONG - SSTOGR000068115). 162 GLOBAL THREAT & VULNERABILI TY MANAGEMENT , VULNERABILITY ASSESSMENT MARCH 2017 1, 11 (on file with Committee, EFXCONG -SSTOGR000000195 -EFXCONG -SSTOGR000000231). 163 Id. ; see also Email from Joe Sanders to Susan Mauldin (Aug. 7, 2017, 8:52 AM) (on file with Committee, EFXCONG -SSTOGR0000 67381). 31 B. Attackers Breach Equifax and Remain Undetected for 76 Days (May – July 2017) Figure 4: Lifecycle of an Attack 164 May 13 – July 30, 2017 – On May 13, attackers entered the Equifax network through the Apache Struts vulnerability located within the ACIS environment, an internet -facing business system individuals use to dispute incorrect information found within their credit file (the “initia l compromise” step in Figure 4) .165 Equifax originally built t his system in the 1970s to meet FCRA requirements . It was operating on a complex legacy IT system housed within a data center in Alpharetta, Georgia. 166 After entering the ACIS environment through the Apache Struts vulnerability, the attackers uploaded the first web shells , which are malicious scripts uploaded to a compromised server to enable remote control of the machine (the “establish foothold” step in Figure 4) .167 Web shells can enable file system and database manipulation, facilitate system command execution, and provide file upload/download capability. 168 In essence, a web shell provides a secret backdoor for an attacker to reenter and interact with a compromised system. The ACIS environmen t was comprised of two web servers and two application servers, with firewalls set up at the perimeter of the web servers. 169 Attackers exploited the Apache Struts vulnerability found on the application servers to bypass the se firewalls .170 Once inside the 164 Jessee Leimgruber, Here’s How Easily You Could’ve Hacked Equifax , BLOOM BLOG (Sept. 17, 2017), https://blog.hellobloom.io/how -hard -was -the -equifax -hack -a3bae36f9e6f . 165 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space , & Tech. Staff (Aug. 17, 2018); see also Mauldin Transcribed Interview at 21. 166 Payne Transcribed Interview at 19 -20, 132. 167 Briefing by Mandiant, to H. Comm. on Ov ersight & Gov’t Reform & H. Comm. on Science, Space , & Tech. Staff (Aug. 17, 2018); see also Compromised Web Servers and Web Shells – Threat Awareness and Guidance , US - CERT (Aug. 9, 2017), https://www.us -cert.gov/ncas/alerts/TA15 -314A . 168 FIDELIS CYBERSECUR ITY , UNDERSTANDING WEB SHELLS 1, 4 (2016), available at https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Webshells_1605.pdf . 169 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17 , 2018). 170 Id. 32 net work, the attackers created web shells on both application servers. 171 This provided the attackers with the ability to execute commands directly on the system hosted on the application servers. 172 Approximately 30 unique web shells were used to perform the att ack. 173 According to Mandiant, file integrity monitoring could have discovered the creation of these web shells by detecting and alerting to potentially unauthorized network changes. 174 Equifax did not have file integrity monitoring enabled on the ACIS system at the time of the attack. 175 After installing the first web shells , the attackers accessed a mounted file share containing unencrypted application credentials (i.e., username and password) stored in a configuration file database (the “escalate privileges” step in Figure 4) .176 Mounting is a process by which the operating system makes files and directories on a storage device available for internal access via the computer’s file system. 177 Attackers were able to access the file share because Equifax did not lim it access to sensitive files across its internal legacy IT systems. 178 Ayres stated storage of these credentials in this manner was inconsistent with Equifax policy. 179 Although t he ACIS application required access to only three databases within the Equifax environment t o perform its business function, the ACIS application was not segmented off from other, unrelated databases .180 As a result, the attackers used the application credentials to gain access to 48 unrelated databa ses outside of the ACIS environment. 181 Attackers ran approximately 9,000 queries on these databases and obtained access to sensitive stored data (the “internal recon” step in Figure 4) .182 The attackers queried the metadata from a specific table to d iscover the type of information contained within the table. 183 Once the attackers found a table with PII , they performed additional querie s to retrieve the data from the table. 184 In total, 265 of the 9,000 queries the attackers ran within the Equifax environment 171 Id. 172 Mandiant, Mandiant Report 1, 2 (2017) (on file with Committee). 173 Id. at 2. 174 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space , & Tech. Staff (Aug. 17, 2018); see infra, Chapter 5, subsection C.4. 175 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 176 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space & Tech. Staff (Oct. 19, 2017); Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 177 See Mounting , LINUX INFORMATION PROJECT , http://www.linfo.org/mounting.html (last visited Oct . 10, 2018). 178 See infra , Chapter 5, subsection C.4. 179 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space & Tech. Staff (Oct. 19, 2017). 180 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 181 Id. 182 Id. 183 Id. 184 Id. 33 ret urned datasets containing PII. 185 None of the PII contained in these datasets was encrypted at rest. 186 The attackers stored the PII data output from each of the 265 successful queries in files. 187 The attackers compressed these files and placed them into a web accessible directory. 188 Then, the attackers issued commands through the tool Wget – a common system utility that allows the user to issue commands and retrieve content from web servers – to transfer the data files out of the Equifax environment. 189 The at tackers used the web shells to exfiltrate some of the data (the “complete mission” step in Figure 4) .190 The attackers used a n estimated 35 different IP addresses to interact with the ACIS environment. 191 The attack lasted for 76 days before it was discovere d by Equifax employees. An expired Secure Sockets Layer (SSL) certificate prevented Equifax from monitoring traffic to the ACIS environment .192 SSL is a standard security protocol that enables encrypted communication between a web browser and a web server. T o create this secure connection, an active SSL certificate must be installed at the point where decryption will occur . SSL certificates have a lifespan of either 27 or 39 months, depending on the date the SSL certificate was issued. 193 After this period, the certificate expires and must be renewed or replaced to become active once again. 194 185 Id. 186 Oversight of the Equifax Bata Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. of the H. Comm. on Energy & Commerce, 115 th Cong. (2017) ( testimony of Richard Smith, Former Chief Exec. Officer, Equifax); Mauldin Transcribed Interview at 136. “Data at rest ” is data not actively moving across a network, such a s data stored on a hard drive. Encryption enables a data owner to scramble the content of protected documents by requiring a decryption key to decipher it. Only authorized viewers with access to the decryption key are able to read the protected information . Encrypting data at rest is the most effective way to safeguard it from unauthorized intruders . See Nate Lord, Data Protection: Data in Transit vs. Data at Rest , DIGITAL GUARDIAN (Sept. 19, 2018), https://digitalguardian.com/blog/data -protection -data - in-transit -vs-data -at-rest . 187 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 188 Id. 189 Id. ; see also Introduction to GNU Wget , FREE SOFTWARE FOUNDATION , https://www.gnu.org/software/wget/ (last visited Oct. 10, 2018). 190 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 191 Id. 192 Id. 193 SSL certificates issued prior to March 1, 2018 have a lifespan of up to 39 months, but any certificates issued after this date expire after 27 months due to a rule change in the Certificate Authority (CA) Browser Forum’s Baseline Requirements. The CA/Browser Forum, a voluntary group of certification authori ties and internet browser vendors, develops standards for the issuance and management of digital certificates. See CA/B ROWSER FORUM , BASELINE REQUIREMENTS FOR THE ISSUANCE AND MANAGEMENT OF PUBLICLY -TRUSTED CERTIFICATES 1, 39 (2018), https://cabforum.org/w p-content/uploads/CA -Browser -Forum -BR -1.6.0.pdf . 194 Id. 34 The expired SSL certificate was installed on a traffic monitoring device called an SSL Visibility (SSLV) appliance. 195 This device allowed Equifax to inspect encrypted traff ic flowing to and from the ACIS platform by decrypting the traffic for analysis prior to sending it through to the ACIS servers .196 Both the intrusion detection system and the intrusion prevention system were behind this monitoring device (see Figure 5 ).197 Figure 5: Traffic Flow from External Computer through SSLV Appliance 198 The default setting for this device allowed web traffic to continue through to the ACIS system, even when the SSL certificate was expired. 199 When this occurs, traffic flowing to and from the internet is not analyzed by the intrusion detection or prevention systems because these security tools cannot analyze encrypted traffic. According to documents obtained , the SSL certificate installed on the SSLV device monitoring the ACIS domain ai.equifax.com expired on January 31, 2016. 200 As a result, Equifax did not have visibility into the network traffic in the ACIS environment for nineteen months .201 C. Equifax Detects the Data Breach and Initiates Project Sierra (July – Aug . 2017) July 29, 2017 – At 9:00 pm, the Equifax Countermeasures team uploaded 67 new SSL certificates to the SSLV appliance at the Alpharetta, Georgia data center where the ACIS 195 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space & Tech. Staff (Oct. 19, 2017). 196 Id. 197 See infra , Chapter 3, Figure 4. 198 Inbound and Outbound SSL Inspection , SYMANTEC , https://origin - symwisedownload.symantec.com/resources/webguides/sslv/sslva_first_steps/Content/Topics/Overviews/ssl_insectio n_overview.htm (last visited Oct. 23, 2018) (labels edited). 199 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space & Tech. Staff (Oct. 19, 2017). 200 Equifax, Master List of Expired Certificates (current on July 29, 2017) (on file with Committee, EFXCONG - SSTOG R000029241). 201 Id. GAO reported this certificate was expired for ten months . See GAO Equifax Data Breach Report at 18. However, documents produced to the Committee show the expiration date for the certificate was January 31, 2016. Intrusion detection and prevention systems External Computer 35 environment was located. 202 This allowed the company to resume the inspection of traffic flowing to and from the ACIS application. The Countermeasures team monitored the appliance and the intrusion prevention system for any sudden increase in security alerts. 203 The Countermeasures te am began reviewing packet captures to ensure decryption was taking place. 204 Packet capture is the creation of a copy of a data packet as it travels across a specific network point. 205 Packets are temporarily stored for analysis of the captured data. A full pa cket includes a payload (the actual contents of the packet) and a header (information such as the packet’s source and destination address). Almost immediately, the Equifax Countermeasures team detected a suspicious request from an IP address originating in China. 206 The team analyzed the full suspicious packet and other recent requests .207 The server response for most of these recent requests contained more than 10 megabytes of data, and possibly contained image files related to credit investigations. 208 Equ ifax used the tool Moloch – an open source piece of software used to index, view, and analyze packet captures – to index network traffic. 209 After employees noticed the suspicious foreign traffic, Equifax ran a search for t he Chinese IP address on Moloch. 210 Search results showed persistent attempts to contact the ACIS web portal from this IP address since July 25, 2017. 211 The Countermeasures team made the decision to block the Internet Service Provider (ISP) used by this IP address. 212 Equifax employees were unab le to determine what this actor did prior to July 29, including any details on the requests made to the ACIS application, because of the expired SSL certificate. 213 July 30, 2017 – Equifax continued its incident investigation by conducting vulnerability te sting of the ACIS application. 214 Equifax discovered flaws in the ACIS code rendering the system vulnerable to SQL injection and Insecure Direct Object Reference attacks. 215 The SQL injection flaw allows an attacker to inject or retrieve database information. 216 The Insecure Direct Object Reference flaw allows direct access to system data without requiring appropriate authentication or authorization. 217 The ACIS application had been tested for vulnerabilities in April 2017 after 202 CYBER THREAT CENTER , PROJECT SIERRA 1, 4 (July 31, 2017) (on file with Committee, EFXCONG - SSTOGR000003446 -EFXCONG -SSTOGR000003454) [ hereinafter CTC Project Sierra ]. 203 Id. at 4-5. 204 Id. at 5. 205 Packet Capture , TECHOPEDIA , https://www.techopedia.com/definition/25333/packet -capture (last visited Oct. 17, 2018). 206 CTC Project Sierra at 5. 207 Id. 208 Id. 209 Id. at 6; see MOLOCH HOME , https://molo.ch/ (last visited Oct. 17, 2018). 210 CTC Project Sierra at 6. 211 Id. 212 Id. 213 Email from Corporate Security Support, Equifax, to Joe Sanders, Senio r Director for Security, GTVM, Equifax (July 31, 2017, 12:00:03 AM). 214 CTC Project Sierra at 6 . 215 Id. 216 Id. 217 Id. 36 Equifax knew about the Apache Struts flaw and no unremediated vulnerabilities were found .218 It is unclear why the April 2017 vulnerability testing and the July 30, 2017 vulnerability testing produced different results. The Equifax forensic team soon discover ed the exfiltrated data likely contained PII. 219 Equifax observed additional instances of suspicious traffic originating from a second IP address owned by a German ISP, but leased to a Chinese provider. 220 As a result of these findings, Equifax decided to shut down the ACIS web portal for emergency maintenance on July 30 at 12:41 pm. 221 The cyberattack ended when the application was taken offline. One of CSO Susan Mauldin’s employees called to inform her of the incident around 1:30 pm, and told her to join an incident management conference call as soon as possible. 222 When she joined the conference, a group of IT and Security employees were discussing the logistics of taking the ACIS machine offline. 223 Mauldin testified: Q. And what, if anything, did you say on the call on July 30, 2017, when the team reported that they wanted to take the ACIS machine offline? A. Well, it was already – the machine coming o ffline was already in progress. So they were not askin g for my approval at that point. It wa s already in process. But I – so I did not have to give approval for it. At the point, I was mostly listening and trying to learn what was going on, bec ause I was coming into it brand -new, not really knowing anything. 224 Immediately after this call, Mauldin emailed information about the security incident to Chief Legal Offi cer John Kelley , who was on vacation at the time, and the employee within the Legal o ffice covering for Kelley while he was away. 225 Mauldin did not re call either of them responding to her email that day .226 Around 6:30 pm, Mauldin called Graeme Payne , Senior Vice President and CIO for Global Corporate Platforms , the senior manager for the ACIS application . Mauldin testified : A. My best recollection of that discussion is that I informed him that we had a security incident that involved the ACIS application; we 218 Id. 219 CTC Project Sierra at 7; Mauldin Transcribed Interview at 78. 220 CTC Project Sierra at 7. 221 CTC Project Sierra at 7; Email from Berlene Herren, Vice President Cyber Threat Resistance , Equifax, to Stephen Cosby, Vice President Cyber Security Operations , Equifax (July 30, 2017, 2:24:13 PM) (on file with Committee, EFXCONG -SSTOGR000119042 -EFXCONG -SSTOGR000119045). 222 Mauldin Transcribed Interview at 46 -47. 223 Id. at 47. 224 Id. at 47 -48. 225 Id. at 52 -54. 226 Id. at 54. 37 thought there might be an exploit of Apache Struts, but we were not sure at that time; that the server was down, so theref ore the application was offline; and we needed his help to work with his development team to perform some research, to work with a Security team and perform some research for us so that we would understand whether they were using [Apache] Struts and what t he version was and so forth so that we could start on the investigation of what happened. Q. And can you tell me, what, if anything, did Mr. Payne say in response to you on the call you had with him on July 30, 2017? A. In my recollection, I don’ t reme mber the exact words, but I can say that Mr. Payne was . . . very agreeable. Obviously, this was an application und er his area of responsibility. He certainly agree d to help. He responded in very . . . urgent manner and did everything that we asked him to do. 227 Payne informed CIO David Webb of the incident via email on July 30 at 7:16 pm. 228 July 31, 2017 – Equifax assigned the code name Project Sierra to the incident response efforts. 229 On a 7:00 am call with the initial Project Sierra group, Equifax’s Vulnerability Assessment team discussed the findings of the ACIS application review conducted on July 30. 230 The team had identified an unexpected JSP file inserted into the ACIS application through SQL injection. 231 A JavaServer Pages (JSP) file is a dynamic server -generated web page. 232 In short, if a JSP file is placed in an appropriate location on a web server, it creates a web shell able to respond to a command from an attacke r.233 This command causes the web server to process or execute the code within the file and return the generated output in the form of a web page. Equifax discovered code within the JSP file provided the avenue for the exploit. 234 Following this 7:00 am call, a second unexpected JSP file was identified within the ACIS application. 235 The fo rensics team immediately image d these environments. 236 Payne and Webb met early on Monday, July 31 to discuss what was known about the incident . Webb testified: 227 Mauldin Transcribed Interview at 55 -56. 228 Email from Graeme Payne, Senior Vice President, Equifax, to David Webb, Chief Info. Officer, Equifax (July 30, 2017, 7:16:00 PM) (on file with Committee, EFXCONG -SSTOGR000043861). 229 CTC Project Sierra at 3 (drafted on July 31, 2017). 230 Id. at 7. 231 Id. 232 FIDELIS CYBERSECURITY , UNDERSTANDING WEB SHELLS at 4. 233 Id. See also Scott Sutherland, Hacking with JSP Shells , NETSPI BLOG (July 7, 2011), https://blog.netspi.com/hacking -with -jsp -shells/ . 234 CTC Project Sierra at 7. 235 Id. 236 Id. 38 A. Yes. So on the Monday . . . I’m typically an early morning person, Grae me is an early mornin g person. So we huddled early, and he just gave me a very brief update to let me know that ther e was an incident, that we didn’ t know what was going on, and that we were doing the investigative work alongside the security team. So in these ins tances, we ta ke direction from S ecurity. Q. Did he give you any sense of the severity of the incident at that point? A. No. 237 As of July 31, Equifax did not definitively know how the attackers enter ed the ACIS environment, but Equifax suspected the attackers util ized an Apache Struts exploit. 238 The Vulnerability Assessment team conducted a review of closed vulnerabilities for the ACIS portal, looking for potential avenues of exploitation. 239 The team discovered a scan performed on January 25, 2017 had identifie d a remediated Apache Struts vulnerability on the ACIS platform. 240 Developers provided Vulnerability Assessment employees with the application’s WAR file – a compressed package containing all of the files and other Java components used to run an application. 241 The WAR file confirmed the ACIS application was running a vulnerable version of Apache Struts. 242 Later on July 31 , the Vulnerability Assessment team conducted a manual review looking for additional instances of Apache Struts on other servers. 243 A vulnerable version of Apache Struts was discovered on a second server within the ACIS application. 244 Equifax did not load a SSL certificate on this server, so it did not have visibility into the traffic to and from this server. 245 Equifax uploaded a SSL certificate for this domain on August 3. 246 Based on information confirmed on July 31 by the lead forensic ana lyst, Mauldin stated “I felt like I knew at that point that PII had been involved in this incident.” 247 She reported this to John Kelley on July 31 , but did not in form David Webb .248 Mauldin testified: 237 Webb Transcribed Interview at 30 -31. 238 Mauldin Transcribed Interview at 55 -56. 239 CTC Project Sierra at 7. 240 Id. at 8. 241 Understanding WAR , SPRING .IO, https://spring.io/understanding/WAR (last visited Oct. 18, 2018). 242 CTC Project Sierra at 8. 243 Id. 244 Id. 245 Id. 246 Email from Berlene Herren, Vice President Cyber Threat Resistance, Equifax, to Susan Mauldin, Chief Sec. Officer, Equifax (Aug. 9, 2017, 2:36:00 PM) (on file with Committee, EFXCONG -SSTOGR000120415 - EFXCONG -SSTOGR000120416). 247 Mauldin Transcribed In terview at 110. 248 Id. at 111. 39 Q. Is there any particular reason why you did not report to the CIO your belief that PII may have been exfiltrated in connection with the security incident we have been discussing? A. I don’ t remember a particular re ason about that . . . . I just don’ t remember thinking about that. 249 August 1, 2017 – Graeme Payne provided David Webb with a brief update on the Project Sierra investigation . He told Webb the investigation was progressing but no new information was known at the time. 250 This was Webb’s last involvement with Project Si erra until August 17, 2017. Webb went on vacation out of the country from August 2 through August 16. 251 *** Equifax’s discovery of the data b reach and subsequent incident response findings quickly led to discussions on how, and when, to notify affected individuals. The company would soon learn the extent of the incident – the sensitive personal information Equifax held on 148 million consumers was compromised. Equifax had to quickly prepare for public notification of the massive data breach. 249 Mauldin Transcribed Interview at 113. 250 Webb Transcribed Interview at 34. 251 Id. at 36. 40 IV. Equifax Notifies the Public of the Massive Data Breach On September 7, 2017, Equifax notified the public about the data breach affecting an estimated 143 million consumers , a number which later increased to 148 million . Prior to notifying the public, Equifax attempted to prepare a dedicated breach notification website and staff call centers to manage the influx of consumers seeking informatio n about the breach. In addition, Equifax made changes to its senior leadership. A. Preparations for Septemb er 7, 2017 Public Notice After Equifax discovered the breach and took actions to stop further attacks, the company hired an outside cybersecurity firm to conduct a forensi c investigation. The forensic investigation determined the extent of the breach, the amount of consumer information compromised , and the identities of affect ed consumers. Equifax initiated Project Sparta to prepare for public noti fication. 1. Equifax Briefs Senior Leaders and Begins Forensic Investigation July 3 1, 2017 – CIO David Webb informed CEO Richard Smith about the security incident, but explained limited information was available .252 Webb stated he thought it prudent to inform the CEO at the time because the incident involved “a portal that’s used by millions of Equifax customers every year to send in disputes or complaints – and if the online service [was] not available, then they call the call centers.” 253 During the next few weeks , Equifax scrambled to prepare for public notification of the data breach and the intense public scrutiny which would follow . August 2, 2017 – Equifax contacted outside counsel and informed the Federal Bureau of Investigation about the breach. 254 Outside counsel contacted the cybersecurity firm Mandiant. 255 Equifax hired Mandiant to complete a comprehensive forensic review of the breach and determine the scope of the intrusion. 256 August 3, 2017 – Mandiant conducted its forensic review from August 3 to October 2 .257 To complete its forensic review, Mandiant preserved the d atabases the attackers accessed and ran a search for any relevant queries the attackers used when accessing the database. 258 Mandiant identified potenti al access points based on forensic markers left behind by the attackers on 252 Webb Transcribed Interview at 31, 33. 253 Id. at 33. 254 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space & Tech. Staff (Oct. 19, 2017) ; Mauldin Transcribed Interview at 77. 255 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 256 Mandian t, Mandiant Report 1 (2017) (on file with Committee). 257 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 258 Id. 41 Equifax’s servers. 259 The firm used these forensic markers to recreate the attacker’s actions and discover the extent of the information they were able to access. August 11, 2017 – Mandiant first identified po tential access to consumer PII by the attackers. 260 August 15, 2017 – Equifax employees informed Smith consumer PII was likely stolen. 261 August 17, 2017 – By this date, Equifax determined “large volumes of consumer data . . . had been compromised.” 262 Senior leadership from Equifax, a Mandiant representative, and outside counsel met to discuss the ongoing forensic investigation. 263 Senior leadership included the CEO, CIO, Chief Legal Officer, C hief Financial Officer , and the business lead for the ACIS environment. 264 Mandiant continued its investigation after this meeting to determine the extent of compromised consumer data. August 24 – 27, 2017 – Mandiant confirmed a significant volume of PII had been accessed by the attackers .265 The forensic s firm coordinated with Equifax database owners to identify what data attackers acc essed and the affect ed individuals. 266 This process was challenging because Equifax did not have a list of database owners , and certain data within the databases was not clearly identifiable. On August 24 and August 25, Smith informed the Equifax Board of Directors about the breach. 267 September 1, 2017 – Equifax convened a Board meeting to discuss the investigation, the scale of the PII compromise, and notification plans. 268 Another senior leadership team meeting occurred later this day. Mauldin attended the senior leadership team meeting and stated topics discussed include d the status of the forensic inves tigation, the number of affected records, possible causes of the incident , and actions to complete the investigation. 269 259 Id. 260 Id. 261 Oversight of the Equifax Bata Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. of the H. Comm. on Energy & Commerce, 115 th Cong. (2017) (pr epared written statement of Richard Smith, Former Chief Exec. Officer, Equifax). 262 Id. 263 Mauldin Transcribed Interview at 80, 120. 264 Id. at 80. 265 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 266 Id. 267 Calendar invitation for Equifax Board of Direc tors call on Aug. 24, 2017 (on file with Committee, EFXCONG - SSTOGR000122875); Calendar invitation for Equifax Board of Directors call on Aug. 25, 2017 (on file with Committee, EFXCONG -SSTOGR000122876). 268 Oversight of the Equifax Bata Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. of the H. Comm. on Energy & Commerce, 115 th Cong. (2017) (pr epared written statement of Richard Smith, Former Chief Exec. Officer, Equifax). 269 Mauldin Transcribed Interview at 120 -21. 42 September 4, 2017 – Equifax, with forensic support from Mandiant, completed a list of approximately 143 million affect ed consumers. 270 While the Board convened and senior leadership received updates on Mandiant’s investigation, other Equifax employees prepared to launch a dedicated breach notification website and establish call centers to support consumer outreach . 2. Equifax Launches P roject Sparta and Prepares Call Centers In mid -August 201 7, Equifax initiated a response -related effort called Project Sparta. 271 The purpose of Project Sparta was to create a consumer -facing website for individuals to find out whether they were affected by the breach and , if so , to register for credit monitoring and identity theft services. 272 The technology lead for this project reported to Webb and the business lead reported to Smith .273 Webb said his role was to ensure sufficient resources were directed towa rd this project , including an estimated 50 to 60 IT employees .274 Payne testified : The Project Sparta team was just told that there was a significant breach they were working on for a customer, and so they . . . really had no knowledge about what they were preparing for, but they were preparing all the systems and integrations and standing up the web portal for a mass amount of consumers to hit our systems. 275 Mauldin described her role in this process as “very minimal.” 276 She said the Security team reviewed the final website design and security controls a few days prior to launch .277 She stated there was a robust technical discussion, but did not recall any major security concerns at the time. Documents show Equifax undertook a signif icant effort to design and prepare this external website. 278 In the weeks leading up to the public notificat ion on September 7, Equifax also began preparations to stand up a ca ll center capability. Payne described the challenges they face d in establishi ng a call center. He testified: We had to start preparations to ramp up the call centers for the expe cted influx of calls . . . . [R] emembering that Equifax is generally a B2B 270 Oversight of the Equifax Bata Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. of the H. Comm. on Energy & Commerce, 115 th Cong. (2017) (prepared wri tten statement of Mr. Richard Smith, Former Chief Exec. Officer, Equifax). 271 Webb Transcribed Interview at 77; Payne Transcribed Interview at 140. 272 Webb Transcribed Interview at 75; Payn e Transcribed Interview at 137 -38. 273 Payn e Transcribed Interview at 138 -39. 274 Webb Transcribed Interview at 75. 275 Payne Transcribed Interview at 138. 276 Mau ldin Transcribed Interview 133 -34. 277 Id. 278 Email from Jith Dhil to multiple Equifax recipients regarding Project Sierra Readiness Follow -up (Sept. 3, 2017, 1:27 :00 PM ) (on file with Committee, EFXCONG -SSTOGR000067683 ); Equifax, Project Sparta Design Document (Sept. 2017 ) (on file with Co mmittee, EFXCONG -SSTOGR000080965 -EFXCONG -SSTOGR000080966 ). 43 [business to b usiness] company . . . we don’t have a huge focus on consumers. So we had to onboard a bunch of external third -party call center agents . . . . I had to get my team organized to h elp support them and . . . make sure we had . . . all the onboarding procedures set up so they could get access to all systems they needed to be able to do their jobs. 279 Payne said Equifax “had to ramp up 1,500 [call center] agents in a week or so.” 280 Testimony and documents show an intense level of activity took place to prepare for the public notification on September 7 , 2017 . B. September 2017 – Equifax Notifies the Public Equifax publicly announced the data breach on September 7, 2017. The company soon found its website and call centers overwhelmed by individuals seeking information in the wake of the breach. Before the end of Septembe r, Equifax’s CIO, CSO, and CEO retired from the company . 1. September 7, 2017 – Equifax Publicly Announces the Data Breach On September 7, 2017, Equifax announced a “cybersecurity incident” affect ing approximately 143 million U.S. consumers. 281 Equifax said the type of consumer information accessed included names, Social Security numbers, birth dates, addresses, and driver’s licenses. Equifax said the attac kers accessed 209,000 credit card numbers and 182,000 credit dispute documents which contained PII .282 Equifax directed consumers to visit equifaxsecurity 2017 .com for additional information (see Figure 6 ).283 Equifax intended for this website to: (1) tell consumers whether their personal information was compromised; and (2) facilitate enrollment in credit mon itoring and identity theft protection services. 279 Payne Transcribed Interview at 140. 280 Id. at 142 . 281 Press Release, Equifax, Equifax Announces Cybersecurity Incident Involving Consumer Information (Sept. 7, 2017) , https://investor.equifax.com/news -and -events/news/2017/09 -07 -2017 -213000628 . 282 Id. 283 Id. 44 Figure 6: Equifax Website on September 7, 2017 Equifax confirmed it would provide one year of free monitoring and identity theft protection s ervices to victims of the breach .284 These services included : monitoring of credit reports by the three major credit bureaus; copies of Equifax credit reports; capability to lock and unlock Equifax credit reports; identity theft insurance; and internet scannin g for S ocial S ecurity numbers. Equifax sent a letter to officials in all fifty states disclosing the data breach, as required by state data breach notification laws. 285 The letter explained the circumstances of the breach and the steps Equifax took to protect consumers. 286 The letter included the approximate numbe r of potentially impacted residents in the state. 287 2. Other Stakeholders React to Equifax Announcement In the aftermath of Equifax’s public ann ouncement , Equifax ’s stock price fell 35 percent in the first week, wiping out $6 billion in market value. 288 Multip le federal regulators, including the FTC and the CFPB, announced or confirmed investigations. 289 US -CERT warned consumers about possible phishing scams leveraging the Equifax data breach. 290 M ultiple congressional 284 Id. 285 Letter from Phyllis Sumner, King and Spalding LLP, to State Attorneys General Distribution List (Sept. 7, 2017) (on file with Committee, EFXCONG -SSTOGR000001107 – EFXCONG -SSTOGR000001108). 286 Id. 287 Id. 288 Paul R. La Monica, Equifa x Shares Plunge Again – 35% in P ast Week , CNN BUSINESS (Sept. 14, 2017) , https://money.cnn.com/2017/09/14/investing/equifax -stock/index.html . 289 Dustin Volz & Susan Heavy, FTC Probes Equifax, T op Democrat L ikens it to Enron , REUTERS (Sept. 14, 2017), https://www.reuters.com/article/us -equifax -cyber -ftc/ftc -probes -equifax -top -democrat -likens -it-to-enron - idUSKCN1BP1VX ; Ben Lane, CFPB, Hous e Financial Services Committee Begin Investigating Equifax Data Breach, HOUSING WIRE (Sept. 8, 2017 ), https://www.hou singwire.com/articles/41262 -cfpb -house -financial - services -committee -begin -investigating -equifax -data -breach . 290 Press Release , US -CERT, Potential Phishing Scams Related to Equifax Data Breach (Sept. 14, 2017) , https://www.us -cert.gov/ncas/current -activity/ 2017/09/14/Potential -Phishing -Scams -Related -Equifax -Data -Breach . 45 committees called for hea rings and requested documents. The Committee launched its Equifax investigation on September 14, 2017. 291 3. Website and Call Centers Overwhelmed Almost immediatel y, problems existed with Equifax’s public respons e.292 The website and call centers were overwhe lmed with requests for information and left consumers without answers as to whether they were affected by the breach .293 a. EquifaxSecurity2017.com Issues The Equifax Project Sparta team set up a website and supporting infrastructure to handle intake from po tentially 143 million individuals in approximately three weeks (middle of August – September 7). The team created the equifaxsecurity2017.com website, which was separate from Equifax’s main website equifax .com . Security experts thought directing consu mers from equifax.com to equifaxsecurity2017.com for data breach information was not secure because the link looked suspicious and confusing .294 The long website link was even confusing to Equifax employees. For example, Equifax’s Twitter account directed custome rs to a phishing website for nearly two weeks because an employee accidentally reversed the order of the words (see Figure 7).295 291 Letter from Rep. Trey Gowdy, Chairman, H. Comm. on Oversight & Gov’t Reform, Rep. Lamar Smith, Chairman H. Comm. on Science, Space & Tech, to Richard Smith, Chairman & Chief Exec. Officer, Equifax (Sept. 14, 2017). 292 Dustin Volz & David Sephardson, Criticism of Equifax Data Breach Response Mounts, Shares T umble , REUTERS (Sept. 8, 2017 ), https://www.reuters.com/article/us -equifax -cyber/equifax -shares -slump -after -massive -data -breach - idUSKCN1BJ1NF . 293 Michelle Singletary, Equifax Says It’s Overwhelmed. Its Customers Say They Are G etting the R unaround , WASH INGTON POST (Sept. 19, 2017 ), https ://www.washingtonpost.com/news/get -there/wp/2017/09/19/equifax -says - its-overwhelmed -its-customers -say -they -are -getting -the -runaround/?utm_term=.0ca3bee79bcb . 294 Lily Hay Newman, All the Ways Equifax Epically Bungled Its Breach Response , WIRED (Sept. 24, 20 17), https://www.wired.com/story/equifax -breach -response/ . 295 Dell Cameron, Equifax Has Been Sending Consumers to a Fake Phishing Site for Almost Two Weeks , GIZMODO (Sept. 20, 2017) , https://gizmodo.com/equifax -has -been -sending -consumers -to-a-fake -phishing -s-1818588764 . 46 Figure 7: Equifax Twitter Thread The phishing website was cr eated by a security researcher .296 People who clicked on the fake link and attempted to submit their personal information were greeted by the following pop -up (see Figure 8): Figure 8: Pop -up Window on securityequifax2017.com Phishing Website The real website, equifaxsecurity2017.com , provided consumers with incomplete or incorrect information. For example, some individuals who attempted to sign up for credit 296 Id. 47 monitoring services were not enrolled or received error messages .297 In other instances, people received conflicting answers about whether they were affected by the data breach when they visited the website from their computer versus their mobile phone. 298 The website challenges were significant and had a serious effect on consumer confidence. Webb testified : [I] think there was a si gn ificant demand on the systems. And it’s one of those things, we tried to get ready very quickly, becaus e once we understood . . . we needed to do something, there was very little time to prepare for a web -scale solution. 299 Payne said he thought “the team did a pretty good job” standi ng up “a consumer website that [could] handle that sort of traffic in such a short time .”300 He said a “bottleneck” in the system led to delays. 301 A major cloud service provider with the ability to accept a large amount of in put hosted the website, but Equifax was limited in processing this input due to constraints with the Equifax system. Many consumers attempted to sign up for Equifax services, but their registrations were delayed because the internal Equifax system could not process a large amount of requests at one time. Payne used a n analogy to explain the situation , comparing the large number of registration requests to a bathtub full of water, and Equifax’s internal capabilities to emptying the tub in drips . He testifi ed : [S o] we filled up the bathtub, but we could only bring the actual transactions into our systems, because our syste ms only had a finite capacity. So the bathtub filled up, and we turned t he tap on, and it dripped out. All right. And the bathtub kept f illing up, and the drip kep t comin g out, and . . . it was filling up way faster than we could open the fauce ts and let the drips come out. And so each day we were trying to tune those taps to see h ow much more we can let through . . . and that’s why there was a huge backlog of people that had registered but didn’t have any notification. 302 Payne stated a coding issue initially affected the website’s capability to accurately identify whether a consumer was a victim of the breach. He said the pressure was in tense and “people were working day in and day out ,” which likely led to the coding mistake. 303 He sai d the coding mistake was addressed quickl y, but stated “the [public relations] damage was done by that stage.” 304 297 See Yuki Noguchi, After Equifax Hack, Consumers Are On Their Own. Here Are Six Tips to Protect Your Data , NPR (Sept. 14, 2017), https://www.npr.org/2017/09/14/ 550949718/after -equifax -data -breach -consumers -are - largely -on -their -own . 298 See Brian Krebs, Equifax Breach Response Turns Dumpster Fire , KREBS ON SECURITY (Sept. 8, 2017), https://krebsonsecurity.com/2017/09/equifax -breach -response -turns -dumpster -fire/ . 299 Webb Transcribed Interview at 76. 300 Payne Transcribed Interview at 144. 301 Id. 302 Id. 303 Id. at 145. 304 Id. 48 b. Call Center Frustrations Delays and frustrations existed with the call center Equifax established to respond to consumer que stions and provide assistance. Some individuals who called the dedicated call center phone number listed on equifaxsecurity2017.com were unable to find out whether their personal information was compromised in the breach. 305 Others failed to reach a n actual person to talk to because the volume of calls overwhelmed the number of customer service representatives staffing the phone lines. Prior to the breach , Equifax employed approximately 500 customer service representatives. 306 Equifax hired and trained “thousands more” customer service representativ es to staff its call centers. 307 Despite this, c all centers were understaffed and the represe ntatives were untrained. 308 Payne testified about Equifax failing to success fully roll out the call centers. H e stated : My personal view is that we left [it] too late to start ramping [up] s ome of those call centers. And . . . in Equifax’s defense, though, it’s something they’d never been through before on t hat sort of scale, so . . . even just identifying a third party that could ramp that many resources that quickly and get t hem trained up . . . we were working round the clock . . . there was a hug e amount of effort going to make s ure that we tried to . . . reduce the impact, but . . . our processes just weren’t geared up to that level . . . to quickly expand and get all the systems we had up and to do it in a secure way. 309 Though Equifax spent significant effort and resources on the website and call centers to handle post -breach announcement traffic , the company failed to adequately prepare to respond to a data breach of this scale. 4. Three Senior Equifax Officials “Retire” On September 15, 2017 , Equifax announced the retirement of its Chief Information Officer and Chief Security Officer. 310 305 Brian Fung, I Called Equifax with a Simple Question. This Is What Happened , WASHINGTON POST (Sept. 13, 2017), https://www.chicagotribune.com/business/ct -equifax -data -breach -customers -service -20170913 -story.html . 306 See Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. of the H. Comm. on En ergy & Commerce, 115 th Cong. (2017) (prepared writ ten statement of Richard Smith, Former Chief Exec. Officer, Equifax). Smith testified there were “frustrating shortcomings” during the call center rollout, including having to close some of the Equifax call centers for Hurricane Irma in Florida. 307 Id. 308 Id. See also Ron Lieber, Finally, Some Answers From Equifax to Your Data Breach Questions , N.Y. TIMES (Sept. 14, 2017), https://www.nytimes.com/2017/09/14/your -money/equifax -answers -data -breach.html . 309 Payne Transcribed Interview at 142 -43 . 310 Press Release, Equifax, Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes (Sept. 15 , 2017) , https://investor.equifax.com/news -and -events/news/2017/09 -15 -2017 -224018832 . 49 David Webb, the former CIO , was with Equifax for seven years. He testified his retirement was a p lanned , but conceded this was not completely true when he added “it was accelerated.” 311 Webb said he was paid through the end of the year and did not receive a retirement “package” beyond a pension for which he had contributed during his time at Equifax. 312 Webb did not “have the full answer” on why his retirement w as accelerated. He stated “I felt I still had a lot to offer the company to help with remediation, but I think this [was] a decision that was made at the board level.” 313 Susan Mauldin, the former CSO, was with Equifax for four years an d testified her de parture was connected to the data breach. 314 She stated she “had requested retirement prior to the data breach and so the company did extend retirement terms.” 315 Webb testified, “[Mauldin] retir ed on the same day that I did. But the decision to have Susan [Mauldin] exit the organizati on was made earlier than that. ”316 On September 26, 2017, Equifax announced the retirement of CEO Richard Smith. 317 C. October 2017 – Forensic Investigation Completed and Senior Equifax Employee Fired Mandiant identified 2.5 million additional affected consumers after the September 7 announcement . On t he same day Mandiant’s investigation concluded , Equifax terminated Graeme Payne for failing to forward the March 9 GTVM Apache Struts patching alert. 1. October 2, 2017 – 2.5 Million More Victims Announced On October 2, 2017, Mandiant completed the forensic portion of its investigation. 318 During its investigation, Mandiant had found a number of failed database queries hidden in web shells created by the attackers. 319 Furth er analysis showed these queries were successful. 320 Mandiant identified an additional 2.5 million individuals whose personal information was compromised in the breach. This brought the total number of U.S. consumers victimized by the Equifax da ta breach to over 145 million. In describing Mandiant’s findings, Equifax stated : 311 Webb Transcribed Interview at 7 -8. 312 Id. at 8. 313 Id. at 82. 314 Mauldin Transcribed Interview at 8 -9. 315 Id. at 9. 316 Webb Transcribed Interview at 108 -9, 113. Webb explained the decision to look for a new CSO was made approximately two weeks prior t o Mauldin’s announced retirement. 317 Press Release, Equifax, Equifax Chairman, CEO Richard Smith Retires; Board of Directors Appoints Current Board member Mark Feidler Chairman; Paulino do Rego Barros, Jr. Appointed Interim CEO; Company to Initiate CEO Sear ch, (Sept. 26 , 2017) , https://investor.equifax.com/news -and -events/news/2017/09 -26 -2017 -140531280 . 318 Press Release , Equifax, Equifax Announces Cybersecurity Firm Has Concluded Forensic Investigation of Cybersecurity Incident (Oct. 2, 2017) , https://investor.equifax.com/news -and -events/news/2017/10 -02 -2017 - 213238821 . 319 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, S pace, & Tech. Staff (Aug. 17, 2018). 320 Id. 50 The completed review determined that approximately 2.5 million additional U.S. consumers were potentially impacted, for a total of 145.5 million . Mandiant did not identify any evidence o f additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process. 321 2. Senior Equifax Employee Terminated for “Failing to Forward an Email ” On October 2, 2017, Equifax terminated Graeme Payne, the Senior Vice President and CIO for Global Corporate Platforms tasked with managing the ACIS environment. 322 Payne was a highly -rated Equifax employee for seven years prior to the data breach. 323 Payne told the Committee he was called into a meeting with two human resources employees who advised him he was being terminated as a result of the inciden t investigation .324 When he pressed for more informati on about the investigation, human resources declined to provide any documentation f or the investigation, but told Payne he failed to forward an email. 325 On October 3, the day after Payne was terminated , former Equifax CEO Richard Smith testified before Congress and repeatedly mentioned an individual who had failed to act on a security warning (see Figure 9) .326 In his testimony before the House Ene rgy and Commerce Committee, Smith made the following statements :  “The human error was the individual who is responsible for communicating in the organization to apply the patch did not. ”327  “Congressman, we get notificati ons routinely, the IT team and S ecurity team do, to apply [patches] . This individual as I mentioned earlier did not communicate to the right level to apply the patch. ”328  “I described it as a human error where an individual did not ensure communication got to the right person to manually patch the application. That was subsequently followed by a technological error 321 Id. 322 Payne Transcribed Interview at 10. 323 Id. at 147. 324 Id. 325 Id. at 148. 326 Tara Siegel Bernard & Stacy Cowley, Equifax Breach Caused by Lone Employee’s Error, Former C.E.O. Says , NY TIMES (Oct. 3, 2017) , https://www.nytimes.com/2017/10/03/business/equifax -congress -data -breach.html . 327 Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. of the H. Comm. on Energy & Commerce, 115 th Co ng. (2017) ( testimony of Richard Smith, Former Chief Exec. Officer, Equifax). 328 Id. 51 where a piece of equipment we use which scans the environment looking for that vulnerability did not find it. ”329 Figure 9: Former CEO Richard Smith Testifies before Congress (Oct. 3, 2017) Payne told the Committee he watched Smith’s congressional testimony and “was not very happy.” 330 Payne elaborated and said Smith testified the breach w as attributed to a human error (failure to forward an email) and system error. 331 Payne stated , “I put two and two together, and I thought oh, th at must be the email they’re referring to.” 332 Payne said Smith’s testim ony was “a gross simplification . . . of what actually had occur red and . . . the complexity of this. . . . [A] nd here we are in front of C ongress testifying that, oh, no, it was just a simple act of one person who forgot to forward an email, which is just way, way simple – just a gross simplification.” 333 Payne testified regarding the alleged failure to forward the March 9, 2017 GTVM patching alert email on the Apache Struts vulnerabi lity. 334 He stated : 329 Id. 330 Payne Transcribed Interview at 149. 331 Id. 332 Id. 333 Id. 334 See Email from GTVM, Equifax, to GTVM Alerts, Equifax (Mar. 9, 2017, 9:31:48 AM) (on file with Committee, EFXCONG -SSTOGR000000059 – EFXCONG -SSTOGR000000060). 52 To assert that a senior vice president in the organization should be forwarding vulnerabil ity alert information to people . . . sort of three or four layers down in the organization on every alert just doesn’t hold water, doesn’t make any sense. If that’s the process that the company has to rely on, then that’s a problem. 335 Payne was just one of 430 employees to whom t he GTVM email alert on the Apache Struts vu lnerability was sent .336 Payne said he was copied on this email for informational purposes , but no specific action was required of him. He stated: A. So on the GTVM [email alert] , I think all the CIOs we re copied on that information. But, as I indicated, it was probably more for information than anything. Q. It wasn’ t necessary for action on your part? A. No, because I did n’t have a responsibility under the [Patch Management] policy to – I wasn’ t a system owner or an application owner. 337 Payne was never directed by anyone to forward such emails .338 A senior Equifax official was terminated for failing to forward an email – an action he was not directed to do – the day before former CEO Richard Smith testified in front of Congress. This type of public relations -motivated maneuver seems gratuitous against the back drop of all the facts. D. Early 2018 – Victim Total Rises to 148 Million Even after the initial forensic investigation concluded, Equifax identified more affected indi viduals. On March 1, 2018, Equifax updated its September 7 and October 2 public announcement s and confirmed the identities of an additional 2.4 million U.S. consumers “whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population.” 339 This announcement brought the total number of individuals harm ed by the data breach to 148 million. 335 Payne Transcribed Interview at 115. 336 Payne Transcribed Interview at 128; Mauldin Transcribed Interview at 37; Letter from Theodore M. Hester, Equifax Counsel King & Spaulding to Rep. Trey Gowdy, Chairman, H. Comm. on Oversight & Gov’t Reform, Rep. Lamar Smith, Chairman, H. Comm. on Science, Space & Tech. (Mar. 30, 2018) at Appendix B at 9 (on file with Committee) (listing GTVM recipients). 337 Payne Transcribed Interview at 25 -26 . 338 Id. at 154 -55. 339 Press Release, Equifax, Equifax Releases Updated Information on 2017 Cybersecurity Incident , (Mar. 1, 2018) , https://www.equifaxsecurity2017.com/2018/03/01/equifax -releases -updated -information -2017 -cybersecurity - incident/ . 53 On May 4, 2018, Equifax provided a statement for the record to the Committee describing the location of data stolen by the attackers, explaining these records were from “a number of database tables with different schemas, and the data elements stolen were not consistently labeled.” 340 Additional forensic analysis allowed the company to confirm approximate numbers of affect ed consumers for 12 standard data elements. 341 These data elements include name, date of birth, Social Security number, address information, gender, phone number, driver’s license number, email address, payment card number and expiration date, TaxID, and driver’s license state. Equifax provided the following chart summarizing the categories of data compromised in the 2017 data breach (see Figure 10 ): Figure 10: Data Compromised in 2017 Data Breach 340 Letter from Theodore M. Hester, Equifax Counsel King & Spaulding to Rep. Trey Gowdy, Chairman, H. Comm. on Oversight & Gov’t Reform, Rep. Lamar Smith, Chairman, H. Comm. on Science, Space & Tech. (May 4, 2018) at Appendix A (on file with Committee). 341 Id. 54 In addition to data outlined in F igure 10 , Equifax confirmed attackers accessed images uploaded to Equifax’s online dispute portal by approx imately 182,000 U.S. consumers. 342 E. Mandiant’s Forensic Analysis Was Challenging The forensic analysis conducted in the aftermath of the Equifax data breach was challenging due to the com plexity of the Equifax IT environment. Susan Mauldin stated it took Mandiant several weeks (from early August up to September 6) “to be able to arrive at a number [of impacted consumers] that they felt firm about.” 343 Mauldin explain ed why this analysis took so long, testifying : My understanding of it was that it was very complex. The data was in many different tables and databases, and linkages had to be understood. And then you had to make sure tha t you weren’t double -counting. If a record is here and i t’s here, let’ s not count that person twice. So to make allo wances for that and . . . it’s just my recollection that it was very complex to sort through everything and make sure that they had a correct number with all factors considered that could have cha nged that number. 344 Mandiant explained the challenges of forensic analys is in the Equifax environment. Mandiant told the Committee it had to work with the data base owne rs to understand the meaning of data not clearly identifiable .345 A list of Equifax da tabase owners did not exist. Therefore, Mandiant had to identify and verify database ownership before it was able to begin its analysis . Payne testified as to why the forensic analysis was so challenging. He said the complexity of the Equifax IT environment , which negatively affected security capabili ties , also hindered forensics. Payne stated : I’d worked in financial services and other environments – and the Equifax technology i nfrastructure is very complex. It’s very complex. It has got a huge amount of – lots of different systems, lots of complexity, lots of matrix management, and it’ s just difficult . . . and it’s got a huge [amount] . . . of history of how some o f those systems came together. So it’s just – it’s complicated. 346 342 Letter from Theodore M. Hester, Equifax Counsel King & Spaulding to Rep. Trey Gowdy, Chairman, H. Comm. on Oversight & Gov’t Reform, Rep. Lamar Smith, Chairman, H. Comm. on Science, Space & Tech (May 4, 2018) at Appendix A (on file with Committee). 343 Mauldin Transcribed Interview at 137. 344 Id. 345 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 346 Payne Transcribed Interview at 152. 55 V. Specific Poin ts of Failure: Equifax ’s Information Technology and Security Management In many ways, Equifax operates like other global financial companie s: the stock is publicly traded; employees reside in countries around the world; and major corpo rate and government contracts rather than sales to individual consumers create th e company’s earnings. However, Equifax deviates operationally from similar corporations in several ways . Each of these deviations can be traced to specific points of failure resulting in the 2017 data breach. A. Equifax IT Management Structure Lack ed Accountability and Coordination 1. IT Organizational Structure at the Time of the Breach Prior to 2005, Equifax’s CSO reported to the n-CIO Robert Webb (no relation to David Webb) .347 This reporting structure resulted in Robert Webb having responsibility over the IT security function led by the CSO .348 An internal restructuring altered this reporting relationship during Robert Webb’s tenure. Following this change, the CSO reported to the Chief Legal Officer instead of the CIO. Richard Smith was hired as the com pany’s CEO in 2005. 349 Tony Spinelli was also hired in 2005 to fill the role of CSO , at the dir ection of Smith .350 Equifax executives knew growing security risks and compliance require ments necessitated an overhaul of the company’s security stance. 351 Spinelli was tasked with establishing the first company -wide IT security standards. 352 Spinelli presented the Equifax Board of D irectors with a three -year, $15 million plan to reorganize IT security across the enterprise. 353 The working relationship between CIO Robert Webb and his subordinate CSO Tony Spinelli devolved due to “fundamental disagreements ,” so the significant decision was made to move the security function out of IT and into the legal office. 354 Payne testified Tony Spinelli 347 Robert Webb served in a variety of roles from 2004 to 2009 , including Chief Technology Officer, Corporate Vice President, and Chief Inform ation Officer . Executive Profile: Robert J. Webb , BLOOMBERG , https://www.bloomberg.com/research/stocks/private/person.asp?personId=12619528&privcapId=9377928& previou sCapId=60273327&previousTitle=Andreessen%20Horowitz%20LLC (last visited Oct. 2, 2018). 348 Webb Transcribed Interview at 80. 349 Executive Profile: Richard F. Smith , BLOOMBERG , https://www.bloomberg.com/research/stocks/private/person.asp?personId=252282 29&privcapId=5629798 (last visited Oct. 4, 2018). 350 Webb T ranscribed Interview at 81. Tony Spinelli served as Chief Security Officer and Senior Vice President from 2005 to 2013. Tony Spinelli , CRUNCHBASE , https://www.crunchbase.com/person/tony -spinelli#sec tion -locked - marketplace (last visited Oct. 3, 2018). 351 Cara Garretson, Equifax Ratchets Up Security , NETWORK WORLD (Apr. 30, 2007), https://www.networkworld.com/article/2298600/access -control/equifax -ratchets -up-security.html . 352 Id. 353 Id. 354 Webb T ranscrib ed Interview at 80 -81 . 56 “instigated moving security from outside of IT to report to legal.” 355 Thus, the Security organization was removed from the control of the CIO and placed under the purview of the Chief Legal Officer. The Chief Le gal Officer was then referred to as the “head of security.” 356 In 2010, Equifax hired David Webb as CIO following Robert Webb ’s retirement .357 Then in 2013, Susan Mauldin took over the CSO position after Tony Spinelli left Equifax .358 The company did not revert the IT organizational structure back to its original form despite multiple discussions between David Webb and Equifax leadership to do so (see Figure 11) .359 Figure 11 : Equifax IT Organization al Structure (2013 - Sept. 2017) Webb had multiple conversations about the structure with CEO Richard Smith and Chief Legal Officer John Kelley, and one with Susan Mauldin. 360 Webb testified: Q. Did you ever bring that up when you were at Equifax that the C SO should report to you as CIO? A. I did. Q. Can you give us details? Whe n did you first bring that up? Who did you bring it up to? What were the discussions like? A. A couple of occa sions when this issue came up. Right after I had started in my role with the company, I asked the question on why it was the way it was, and . . . I really sought to understand the 355 Payne Transcribed Interview at 68. 356 Webb Transcribed Interview at 108 -09. 357 Id. at 7, 81. 358 Mauldin T ranscribed Interview at 9; Webb Transcribed Interview at 81. 359 Webb T ranscribed Interview at 108 -09. 360 Id. Richard Smith Chief Executive Officer David Webb Chief Information Officer Graeme Payne SVP & CIO for Global Corporate Platforms John Kelley Chief Legal Officer Susan Mauldin Chief Security Officer 57 structure. And given I was new in the role and had plenty on my plate, I just felt that was acceptable. The ultimate, the final discussion, actually, was probably 2 weeks before I retired when we actually did it, finally agreed that we would move the Security function under IT. And that was a c onversation that I had with [CEO Richard] Smith and with the pe rson who – yeah, so it was [ Smith ] and one other p erson from the leadership team. And we made a decision that we would actually look for a new CSO at that time. Q. And in the previous conversations you had, was that also with the CEO? A. As well as with the head of security – person responsible for security [John Kelley] .361 Webb asked Mauldin whether she would support moving the CSO back under the CIO .362 Webb testified: A. I actually did have a conversation one time with Susan Mauldin about whether she thought it was a better option. Q. And what was her response? A. I think she was comfortable with where it was. 363 Mauldin testified about her knowledge of the origin of the part icular organizational structure. S he stated: [T] hat structure was in place . . . at the time I arrived at Equifax. It was the structure that was there with the person that was my predecessor. And I knew that i t was that structure going in. I didn’ t qu estion it. I was okay with it. And so it was just what was there, and so i t continued with what it had been. 364 When asked if Equifax’s organizational structure from 2013 to 2017 was typical for a larg e and complex organization, Webb simply said “No.” 365 Webb affirmed “[i]t’s more typical for the CSO to report to the CIO.” 366 361 Webb Transcribed Interview at 108 -09. 362 Mauldin Transcribed Interview at 11 -12. 363 Webb Transcribed Interview at 108 -09. 364 Mauldin Transcribed Interview at 68. 365 Webb T ranscribed Interview at 80 . 366 Id. 58 The f inal conversation about the organizational structure between Webb, Smith, and Kelley occurred just two weeks before Webb took an early retirement from the company in mid - September 2017 .367 During this meeting, the decision was made to move the Security organ ization back under the CIO. 368 On September 15, 2017, Equifax announced Webb and Mauldin’s retirement and named interim Equifax officials to temporarily fill both position s.369 Equifax stated its interim CSO Russ Ayres would report to the interim CIO Mark Rohrwasser. This reporting structure continued until February 2018, when Equifax announced Jamil Farshchi as its new Chief Information Security Officer. 370 Farshchi reports direc tly to current Equifax CEO Mark Begor. 2. Operational Effect of the Organizational Structure The functional result of the CIO/CSO structure meant IT operational and security responsibilities were split , creating an accountability gap . At the time of the br each, Equifax’s organizational structure did not facilitate a strong CIO and CSO partnership . T estimony demonstrate d the disconnect between IT operations and security . Webb distanced himself and his organization from Security during his interview with th e Committee , and ofte n referred the Committee to Mauldin for answers. 371 For example, he testified to how the topic was approached at senior leadership team meetings, stating : [L] et me try and separate information technology from the security component, because I can speak better to the IT function. We had quarterly business reviews with the entire senior leadership team where we would talk about the key activities that we were undertaking on behalf of the business units. We would talk about the key in itiatives that were in flight. We would talk about potential projects that were going well and potential project s that were not going so well. We wo uld try to keep them informed. And then we w ould also talk about . . . what was on the horizon from a technic al perspective. So we’ d try to provide . . . general education about information technology and what we were working on. The security piece of it was typically co vered within the legal review. And so if you wanted to understand what was being discussed t here, I think you would need to talk to Susan and to the legal counsel about the content of the mate rial that was being presented. That would be my recommendation. 372 367 Webb T ranscribed Interview at 108 -09. 368 Id. 369 Press Release, Equifax, Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes (Sept. 15 , 2017) , https://investor.equifax.com/news -and -events/news/2017/09 -15 -2017 -224018832 . 370 Press Release, Equifax, Equifax Appoints New Chief Information Security Officer (Feb. 12, 2018), https://investor.equifax.com/news -and -events/news/2018/02 -12 -2018 -211659769 . 371 Webb Transcribed Interview at 12. 372 Id. at 13. 59 Mauldin similarly testified about this division of res ponsibilities. For example, she sta ted : Q. So the scope of your respons ibility was . . . company -wide? A. Yes, it was. Q. Including the systems in Alpharetta, Georgia, the folks that were responsible for security would have reported to y ou. Is that correct? A. Well, to just be clear, when you say that, what I think of – and let me see if th is is answering your question. So the S ecurity team had global responsibility and would establish the policies and the standards, or the rules, which the IT team would operate under. And so when you say the systems in Atlanta, that makes me think of the IT team, who is responsible fo r following the rules that the Security team has set forth. So we had a working relationship where security would establish the rules and work with the IT team to impl ement those rules. Does that answer the question? Q. Sort of. Who w ould enforce those rules then? Who would make sure that the compliance requirements were met? A. That was a . . . combination of responsibilities, certainly with IT, to make sure t hat their staff was held accountable to the rules and the policies that were set forth. IT also – or I’ m sorry, Security also had proactive processes that we used to continually scan for and look for risk for any areas where perhaps there might be a gap or something had not been followed correctly. 373 W itnesses agreed good communication between and within the IT and Security organizations was essential, though all witnesses the Committee interviewed noted frustrations with the process. Webb said , “clearly , in order for that [line of reporting] to function as a structure, it requires a high degree of coordination and communication.” 374 Webb testified about the re porting structure ’s effect on cybersecurity inci dents at the company, stating : [W]h en you have multiple lines of communication across organi zations, things happen slowly. So speed to exec ution is slower, but that doesn’ t me an the outcomes are different. It just ta kes longer to get to decisions. 375 373 Mauldin Transcribed Interview at 15 -16. 374 Webb Transcribed Interview at 10. 375 Id. at 109 -110. 60 In April 2016, frustrations with the company’ s IT governance were high when an internal reorganization within IT occurred, and the IT risk and compliance group was m oved under the direction of Payne. 376 As a result, Payne received responsibility for access management, IT -audit coordination, and IT -Secu rity coordination. 377 Payne said when he took over the IT risk and compliance group in 2016 he met with Chief Legal Officer John Kelley , who was the head of security and Mauldin’s supervisor, to discuss how IT could better support the S ecurity team .378 As a direct result o f the meeting, monthly IT and S ecurity meetings were initiated in April 2016. 379 Kelley, Mauldin, Webb , and Payne participated in these meetings in an effort to better coordinate functions between the IT and Security teams .380 Payne said the pu rpose of these monthly meetings was to ensure senior leaders had visibi lity on “all the things that S ecurity was asking IT to do, and IT was being responsive to the things that S ecurity was asking us to do.” 381 Payne said he initiated these meetings “because there appeared to be some frustration there on J’s [Kelley] part as to the progress that was being made on certain th ings . . . . that IT wasn’t doing for S ecurity” fast enough. 382 He testified: [Kelley] did have a list. He n ever shared that list with me. But anyway, we developed – we started meeting and we had somewhere between, I would say, 10 and 20 different initiatives we identified that we wanted to track through that process, and we started tracking those. 383 There were a variety of initiatives track ed at these monthly meetings, including patch management and digital certificate deployment. 384 Both of these initiatives turned out to be key systematic challenges leading to the 2017 data breach. 3. Equifax’s Organizational Structure Allowed Ineffective IT Coordination Depending on the organizational reporting structure a company adopts t he C SO and CIO roles can be conflicting or complementary . At Equifax , the IT and Security organizations were siloed, meaning information rarely flowed from one group to th e other. C ollaboration between IT and Security mostly occurred when required , such as when Security needed IT to authorize a change on the network. Communication and coordination between these groups was often inconsistent and ineffective at Equifax . One example of the lack of IT -Security coordination was that multiple and incomplete software inventory lists were kept separately by each group. Both IT and Security rely on 376 Payne Transcribed Interview at 43 -44. 377 Id. 378 Id. at 34. 379 Id. 380 Id. 381 Id. 382 Id. at 35. 383 Id. 384 Id. at 36. 61 accurate inventory lists to operate, patch, and monitor the company’s IT systems. In a more collaborative environment, these lists would be merged into a single master document with both teams working together to complete the inventory. 385 Equifax did not have an optimal IT management environment. Equifax’s CEO did not priorit ize cybersecu rity. Webb testified Smith held quarterly senior leadership team meetings where IT security was just one of the many topics discussed. 386 Smith confirmed these meetings only occurred quarterly. 387 Mauldin did not regularly attend the se meetings because the CSO was not considered part of the senior leadership team during her tenure. 388 As a result of this meeting cadence, Smith was not receiving timely information on Equifax’s security posture. The information he did r eceive was presented by Kelley – the head of the legal department who did not have an y background in IT or security – rather than Mauldin, the company’s IT security expert. 389 Equifax’s organizational structure prior to the breach , with the CSO reporting to legal , was outside the norm. 390 A 2017 report b y the Ponemon Institute found 50 percent of CSO survey respondents report to the CIO .391 In contrast , Ponemon found only 8 percent of CSOs report to the general counsel and 4 percent report to the CEO .392 A Price waterhouse Coopers study published in 2018 concluded it is more common for the CSO to report directly to the CEO or board of directors, rather than to the CIO. 393 The study found 24 percent of CSO survey respondents report to the CIO, while 40 percent report directly to the CEO. 394 A number of IT management changes have occurred since the company announced Webb and Mauldin’s retirement s in September 2017 . First, Equifax renamed the CSO as the Chief Information Security Officer (CISO). On February 2, 2018, Equifax appointed Jamil Far shchi as its CISO. 395 Equifax announced a revised reporting structure elevating the CISO to directly report to the CEO .396 Next, Equifax changed the CIO title to Chief Technology Officer (CTO) . On June 385 See Norm Brien, IT Asset Management: How to be Efficient , CIO (Aug. 10, 2016), https://www.cio.com/article/3095256/it -management/it -asset -management -how -to-be-efficient.html . 386 Webb Transcribed Interview at 12. 387 Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer P rot. of the H. Comm. on Energy & Commerce, 115 th Cong. (2017) ( testimony of Richard Smith, Former Chief Exec. Officer, Equifax). 388 Webb Transcribed Interview at 11; Mauldin Transcribed Interview at 124 (stating “senior leadership team” referred to Smith an d Smith’s direct reports). 389 Mauldin Transcribed Interview at 18. 390 See ISACA, CISO BOARD BRIEFING 2017 1, 3 (2017), https://cybersecurity.isaca.org/csx -resources/ciso -board - briefing -2017 . 391 PONEMON INSTITUTE , THE EVOLVING ROLE OF CISO S AND THEIR IMPORTAN CE TO THE BUSINESS 1, 38 (2017), https://interact.f5.com/rs/653 -SMC -783/images/RPRT -SEC -1167223548 -global -ciso -benchmarkUPDATED.pdf . 392 Id. at 38, 61. 393 PWC, STRENGTHENING DIGITAL SOCIETY AGAINST CYBER SHOCKS : KEY FINDINGS FROM THE GLOBAL STATE OF INFORMATION SECURITY SURVEY 2018 1, 9 -10 (2018), https://www.pwc.com/us/en/cybersecurity/assets/pwc - strengthening -digital -society -against -cyber -shock s.pdf . 394 Id. at 10. 395 Press Release, Equifax, Equifax Appoints New Chief Information Security Officer (Feb. 12, 2018), https://investor.equifax.com/news -and -events/news/2018/02 -12 -2018 -211659769 . 396 Id. 62 15, 2018, Equifax appointed Bryson Koehler as its CTO. 397 The CTO continues to directly report to the CEO. Equifax’s recent IT management actions show the company now recognizes cybersecurity is a core business function . Making the CISO and the CTO peers on Equifax’s senior management team should result in a more productive and collaborative approach to security. B. Equifax Had Serious Gaps between IT Policy Development and Execution At the time of the breach, Equifax’s internal IT management process failed to establish clea r lines of accountability for developing IT security policies and executing these policies . There wa s a division of responsibilities between the IT and Security departments to address IT policy development and operational implementation .398 Webb testified : Q. Did you make any IT security operational decisions? A. Typically, the way the work was separated between the organizations, the S ecurity organization would define the ‘what. ’ They had a security engineering function. The IT guys were responsible for de ploying the technology that [Security] wanted into the infrastructure, and then [Security] would be provided the ability to configure the software, all the solution, the appliance, whatever it might be, in accordance with their desires. Q. So who ultim ately made security decisions? When you, for example, you were trying to decide how to patch a software vulnerability, when, where, how to make that happen? A. So, again, the ‘what ’ and the ‘how ’ was segregated . So from a policy perspective, the policy w as typically defined within the S ecurity organization. The IT organization would have the opportunity to review that and to ensure that the policy could be conformed with and it made sense, given the infrastructure and the environment. And then, again, it varied by . . . security pro duct. But, typically . . . the IT organization would be responsible for ensuring that, in the case, for example, of a patch, that the p atch was applied. Because the Security organization could not effect changes to the infrastru cture directly. They could operate software, but they could not install the software and they could not change the infrastructure. 397 Alex Hickey, IBM’s Bryson Koehler Becomes Equifax CTO , CIO DIVE (June 15, 2018), https://www.ciodive.com/news/ibms -bryson -koehler -becomes -equifax -cto/525741/ . 398 Webb Transcribed Interview at 14. 63 So there was a joint responsibility. One for policy and then one for implementation. Security was then responsible for ensu ring that the work was completed properly. Q. So you would implement at the direction of the [CSO ]? A. That’ s correct. 399 1. Equifax’s Patch Management Process The disconnect between policy development and execution was especially pronounced with respect to Equifax’s Patch Management Policy. This policy defined roles and responsibilities, and established guidelines for the patching process. 400 The policy designated t wo Equifax em ployees to lead implementation , the policy manager and the senior leadership team owner. Webb stated the responsibility of the policy manager was to “ensure that all of the w ork we needed to do was tracked, ” and the senior leadership team owner’s role “was to ensure that the organization conformed to the polic y.” 401 The 2016 version of the Patch Management Policy was in effect when US -CERT distributed the March 8, 2017 Apache Struts vulnerability alert. 402 Under the 2016 version, David Webb was the senior leadership team owner and Susan Mauldin was the policy man ager. 403 The 2016 Patch Management Policy identified the roles and responsibilities for various individuals in regards to applying a patch in an environment within their portfolio (see Figure 12 ).404 Under the policy, the business owner is informed of the need to patch and is responsible for approving downtime so the patch can be applied. The system owner is responsible for applying the patch and the application owner is then responsible for ensuring the patch is applied properly. 405 Accor ding to testimony provided to the Committee, while roles and responsibiliti es were defined in the policy , there were no official designees for these roles . 399 Webb Transcribed Interview at 15. 400 EQUIFAX , PATCH MANAGEMENT POLICY 1 (2016) (on file with Committee, EFXCO NG -SSTOGR000039136 – EFXCONG -SSTOGR000039146) [ hereinafter 2016 Patch Management Policy ]. 401 Webb Transcribed Interview at 19 -20. 402 2016 Patch Management Policy at 1. 403 Id. 404 Id. at 6. 405 Id. 64 Figure 12 : Critical Vulnerability Patching Process under 2016 Patch Management Policy 406 a. Patching Process Failed Following March 9, 2017 Apache Struts Alert The S ecurity and IT teams were made aware of the need to patch Apache Struts within the Equifax systems through an email alert distributed by the Global Threat and Vulnerability Management (GTVM) team .407 Each patch is given a criticality classification by vendors (e.g., low, moderate, high, or critical) , so users are aware of how quickly the patch should be applied. 408 According to Susan Mauldin , the S ecurity team could alter the vendor’s classificati on, but normally Equifax adopted the vendor’s classification. 409 The Apache Struts patch was classified as a critical patch. 410 Under Equifax’s policy, the Apache Struts patch should have been applied within 48 hours of the patch’s dissemination on March 9, 2017 .411 Equifax did not patch this particular vulnerability within 48 hours. T he Apache 406 2016 Patch Management Policy at 2 -9. 407 Email from GTVM, Equifax, to GTV M Alerts, Equifax (Mar. 9, 2017, 9:31:48 AM ) (on file with Committee, EFXCONG -SSTOGR000000059 – EFXCONG -SSTOGR000000060). 408 Mauldin Transcribed Interview at 38 . 409 Id. 410 Email from U.S. Computer Emergency Readiness Team, to GTVM, Equifax (Mar. 8, 2017, 7:31:16 PM) (on file with Committee, EFXCONG -SSTOGR000000060). 411 2016 Patch Management Policy at 5. Security becomes aware of need to patch a known vulnerability.

•Security sends an email to the GTVM listserv, informing personnel responsible for IT assets of the need to patch this vulnerability and the timeframe for patching. Personnel responsible for an IT asset include the Business Owner, System Owner, and Application Owner.

•Critical vulnerabilites must be patched within 48 hours. System and Application Owners are required to keep an up -to-date software inventory, including source and version number, for the IT assets each are responsible for.

•If a patch alert from GTVM affects a software version in use on their assigned IT asset, then the System and Application Owners know to inform the Business Owner of the need to patch. The Scheduler receives patching requests from System and Application Owners. The Scheduler notifies appropriate parties of the confirmed date the patch will be applied.

•The Business Owner approves production downtime to install the patch .

The System Owner ensures the patch is applied within the timeframe designated by GTVM.

•Following the installation of a critical patch, Security is required to rescan the external and internal environments within 48 hours to confirm no unpatched vulnerabilities are still present. 65 Struts software running on the ACIS system was not patched until discovery of the breach in late July 2017 .412 Equifax officials confirmed the source of the initial intrusion was the exploitation of this Apache Struts vulnerability. 413 To determine who was responsible for applying the Apache Struts patch to the ACIS system, the Committee asked Payne to identify employees by the roles listed within the Patch Management Policy. Specifically, the Committee asked him to identify the business owner, system owner, and application owner responsible for the ACIS system. Payne testified: Q. So the application owner for ACIS would have been who or what organization? A. So I don’ t believe there was any explicit designation of application owners . If you ask me who I think the application owner would be, I can probably answer that. Q. That would be good. A. So I believe – in my view, the application owner for ACIS – for the online dispute portal component because that was a component – was [Equifax IT Employee 1] and probably also [Equifax IT Employee 2] . So again, I don’ t believe there were any specific desi gnations, so these would be – if someone asked me, "Who do you think they would be?" that would probably be the two people I would look at. 414 * * * Q. So would they have been the people that should have received the GTVM email saying you need to patch? A. Yes, as well as the system owner. Q. Okay. Wh o’s the system owner? A. So again, those people weren’ t designated . So I can – Q. Tell me who you think? A. My guess would be that the system owner would be someone in the infrastructure group probably under [Equifax IT Employee 3] , 412 Payne Transcribed Interview at 12 -13. 413 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 414 Payne Transcribed Interview at 22. 66 since … as part of the global platform services group, his team ran the sort of the server operations. 415 * * * Q. If you look at t he de finition . . . it says: System owner is responsible for applying patch to electronic assets. So would it be the case that [Equifax IT Employee 3] would have been the one responsible for actually applying the patch to ACIS? A. Possibly. Again, we are talking at a level that I wasn’t involved in, so I can’ t tal k specifically about… who actually had physical access to that system to be able to install the patch. 416 Payne said he did not have a specific role or responsibility to patch the ACIS sy stem a s a senior executive, stating he was a “manager of managers who managed teams that would fulfill roles laid out in the policy.” 417 Each witness was asked if redundancies existed to ensure the correct individuals received the GTVM alert to patch a specific vulnerability . Mauldin and Webb both testified there were no redundancies within the patching process to ensure the proper individuals were notified of the need to patch. 418 Mauldin testified: Q. In terms of the patching policy, I understand the re was this [GTVM] email that went out. Was there any kind of redundancy or follow -up that would have kind of pinged the person responsible to take action that you know of? A. Not that I recall. Q. I’m trying to understand if that [GTVM] email was the only alert that the owners of the system would have gotten. A. So . . . are you asking if the S ecurity team would repeat the alert? Q. To your knowledge, based on the process, was there any type of repeat about the initial alert that went out? Maybe it was S ecurity; maybe it was IT. A. Well, I do know that – what I was told by the leader of the [GTVM] team for that March 16th meeting, that the PowerPoint presentation 415 Payne Transcribed Interview at 23. 416 Id. 417 Id. at 108. 418 Mauldin Transcribed Interview at 43; see also Webb Transcribed Interview at 26 -27. 67 that they used for that meeting had a speci fic page . . . that highlighted the particular [Apache Struts] vulnerability again , and again stated . . . if you’ re using that version of Apache Struts, you must patch. And he also conveyed that they had a discussion about it on that [March 16 GTVM conference] call. 419 Webb testified: Q. Were you aware of any other way to get the word out to Equifax, application owners, et cetera, besides this email to 400 individuals? A. No. 420 Payne testified the Patch Management Policy required the system owner and application owner to subscribe to vulnerability distribution bulletins from external sources, such as US - CERT or a software vendor .421 These distribution bulletins would notify the system owner and application owner of available patches. 422 As Payne stated, the lack of an official designation for system owner and application owner meant there was no mechanism for ensuring either person followed this subscription requirement. 423 The lack of accountability and compliance efforts in the execution of Equifax’s patching process was a significant fac tor leading to the 2017 data breach. Webb confirmed the Patch Management P olicy did not work in this case. He testified: Q. [I] n y our opi nion, did Equifax’ s Patch Management P olicy work in this case? A. I’d [have] to say no. Q. Why do you think that is? A. [W] hen I think about issues in technology, I think about it from a people process and a technology perspective. I think that th e process was in place. I don’ t think that the people necessari ly conformed to the procedures . And I think there was . . . potentially a failure in technology. 424 419 Mauldin Transcribed Interview at 43. 420 Webb Transcribed Interview at 26 -27. 421 2016 Patch Management Policy at 5. 422 Payne Transcribed Interview at 24. 423 Id. 424 Webb Transcribed Interview at 28. 68 b. Equifax Was Aware of Issues with the Patching Process Equifax leaders had notice of the many issues related to the patching process prior to the Apache Struts patching failure. In 2015 , Equifax conducted an audit of its patch management process. This audit found a number of significant deficiencie s within the patching process at Equifax. 425 The audit had eight detailed findings and corresponding recommended man agement action s for each fin ding (see Figure 13 ): 425 EQUIFAX , PATCH MANAGEMENT AUDIT 3 (2015) (on file with Committee, EFXCONG -SSTOGR000122049 – EFXCONG -SSTOGR000122056) [ hereinafter 2015 Patch Management Audit ]. 69 Equifax 2015 Patch Management Audit Findings 426 2015 Audit Findings Management Recommendations Complete By 1 Vulnerabilities were not remediated in a timely manner. Implement automated patching tools and retire legacy systems as quickly as possible. 12/31/2016 2 Equifax lacked adequate asset management procedures. A comprehensive IT asset inventory, accurate network documentation, or a global view of IT infrastructure did not exist. Improve IT asset management controls to ensure a current and accurate inventory of all IT assets is available. 6/30/2017 3 Systems were not patched in a timely manner. Most patches were applied reactively, after GTVM sent out an alert to patch, instead of proactively. Implement and enforce a proactive patching process. 12/31/2016 4 Vulnerabilities were not adequately tracked, prioritized, and monitored to ensure timely remediation. An “honor system” was used to ensure patches are installed. No controls in place, such as a patching exception tracker, t o escalate critical vulnerabilities not remediated in a timely manner. Create a centralized patch and exception process to assess, prioritize, and monitor all vulnerabilities that do not comply with Equifax policy. Long -term solution target 2017 5 New systems, and changes to existing systems, were not required to be scanned for security risks prior to deployment. Modify change management procedures to require vulnerability scanning of assets prior to deployment. 12/31/2015 6 Server hardening standards had not been developed for Windows systems. Document and publish Windows server hardening standards. 3/31/2016 7 Patches were inadequately and inconsistently tested prior to deployment. Test all patches prior to deployment. 6/30/2016 8 Patch Management P olicy did not consider the criticality of an IT asset when determining the time frame for patch installation. Review all IT assets and classify risk; enhance the Patch Management Policy to include more stringent patching requirements for high risk systems. 12/31/2015 Figure 13: Equifax 2015 Patch Management Audit Findings Eq uifax did not remediate many of the issues identified in the 2015 audit prio r to the 2017 breach. For example, t he company had not implemented automated patching tools to 426 2015 Patch Management Audit at 4 -8. 70 establish redundancies in the patching process, which could have alerted the company to the vulnerable software on the ACIS system. The 2015 audit identified asset management controls as an area in need of improvement. In order to effectively implement a patching process, an entity must have a comprehensive inventory of IT assets. If an organi zation does not know what is on its networks, it will not know where patching is needed. As of July 2017, the company did not have a comprehensive and up - to-date inventory of its IT assets or the software operating on its systems. 427 Equifax employees had previously identified Apache St ruts on the ACIS application during the remediation of another Apache Struts vulnerability in January 2017. T he company failed to document and tr ack this information, and was surprised to discover the presence of Apache Struts within this environment in July 2017. 428 2. Equifax’s Certificate Management Process Another example of disconnect between policy development and implementation relates to Equifa x’s certificate management process. The company was distinctly aware it lacked a process for updating SSL certificates. Security employees discussing the plan for uploading the Apache Struts signature rule into the intrusion prevention system noted a br oader problem with updating SSL certificates. Specifically , one employee said Equifax needed to (1) define who owns SSL certificate “care and feeding” an d (2) create and validate a SSL certificate update proces s.429 Equifax knew of the potential security ri sks posed by expired SSL certificates. An internal vulnerability assessment tracker entry dated January 20, 2017 stated “ SSLV devices are missing certificates, limiting visibility to web based attacks on [intrusion prevention system] .”430 At the time of the breach, however, Equifax had allowed at least 324 of its SSL certificates to expire. 431 Seventy -nine of the expired certificates were for devices monitoring highly business critical domains .432 Had Equifax implemented a certificate management process with defined roles and responsibilities, the SSL certificate on the device monitoring the ACIS platform would have been active when the intrusion began on May 13, 2017. The company would have been able to see the suspicious traffic to and from the ACIS platform much earlier – potentially mitigating or preventing the data breach. *** Equifax knew its patch management and certificate management process es were deficient and action was needed to make the process es effective. The Apache Struts patching failure 427 Payne Transcribed Interview at 27 -28. 428 CTC Project Sierra at 8. 429 Email from Justin Borland, Senior Security Analyst, Equifax, to Francis Finley, V ice President Cyber Intelligence, Equifax (Mar. 13, 2017, 1:33:15 PM) (on file with Committee, EFXCONG -SSTOGR000000547). 430 Equifax, Weekly Cyber Briefing Week 26 (June 30, 2017) (on file with Committee, EFXCONG - SSTOGR000122516 -EFXCONG -SSTOGR000122549). 431 Equifax, Master List of Expired Certificates (current on July 29, 2017) (on file with Committee, EFXCONG - SSTOGR000029241). 432 Id. 71 illustrates the disconnect between policy development and operational execution. The Patch Management Policy included defined roles for personnel resp onsible for patching activitie s, but Equifax failed to designate employ ees to fill these roles. 433 Equifax knew the patching process operated on “the honor system,” yet failed to establish a mechanism to ensure accountability and compliance. 434 If Equifax had implemented and consistently executed an effective patch management policy, t he 2017 data breach would have been preventable . Webb agreed with this conclusion. He testified : Q. So would you agree that if Equifax had effectively patched the system within the 48 hours, this potentially would have been a preventable incident? A. Yes. 435 C. Equifax Ran Business Critical Systems on Legacy IT with Documented Security Risks Equifax faced increased security r isks due in part to its complex legacy IT environment. Legacy technology is both a security issue and a hindrance to innovation, and l egacy systems are tough to secure because they are often extremely difficult to patch, monitor, or up grade .436 Equifax ran a number of its business critical systems on legacy infrastructure , including the ACIS system compromised by attackers during the 2017 data breach . 1. Equifax’s Company Expansion Created Highly Complex IT Infrastructure Richard Smith embarked on an ambitious growth strategy when he became CEO in 2005. 437 Smith utilized acquisitions as the primary method to expand the company’s market value . Payne testified to the complexity of the company’s technology infrastructure .438 He said Equifax h ad grown significantly over the last ten years with a number of acquisitions and integrations adding to the complexity of the technology situation , making the application of security methodologies and tools even more challenging. 439 Payne stated : [T] he com pany had been very acquisitive. If you look at the growth of the company certa inly since I was there . . . it grew significantly over the 10 years or the 7 years, but even before I started, it was a growth spurt. 433 Payne Transcribed Interview at 22 -23. 434 See infra , Chapter 5, subsection B.2.b., 2015 Patch Management Audit Chart at Finding 4. 435 Webb Transcribed Interview at 70. 436 Payne Transcribed Interview at 32, 81 -82. 437 See infra , Chapter 1, subsection B.2. 438 Payne Transcribed Interview at 151 -53. 439 Id. at 152. 72 There was a huge amount of acquisitions, a lot of integra tions going on. So just kind of . . . bringing those new systems in and getting them under some sort of mana gement structure is . . . management, not leadership, but getting consistency in t he way that all that technology’ s managed is a – whi le all at the same time building platforms for growth and sta ndardization for the future, it’ s a big task. 440 Equifax had custom -built a number of its IT systems. Payne stated: “H ere, they built a lot of systems. And so when you build the systems, it adds m ore complexity. And you can’ t go out and buy a dispute and disclosure system , you have to build it, right? So that just adds – all of that adds complexity .”441 2. Composition of the Legacy ACIS Environment One of the custom -built lega cy IT systems used by Equ ifax from the 1970s through 2017 contained the ACIS environment , an internet -facing busin ess system individuals use to dispute incorrect information found within their credit file .442 During the 2017 breach, Graeme Payne was responsible for managing the ACIS environment for IT. 443 Payne testified: ACIS was the dispute and discl osure system that was built in . . . the late 19 70s to address the requirements of the [Fair Credit Reporting Act] . And under that legislation, credit bureaus are required and data furni shers are required to have a process in place to both disclose information to consumers, but also to manage disputes on consumers’ cre dit files…. And so we needed a system ba ck then to manage that process. And so way before I even started at Equifax the s ystem was built. When I moved into this position in 2014, we were still running that [ACIS] system that had been built way back then .444 One concern for Equifax’s continued use of legacy technologies and applications was the dwindling number of employees wi th knowledge of how to operate and maintain the aging system. According to Payne, the company was “lucky that we still had the original developers of the [ACIS] system on staff.” 445 He testified: A. [W] e had a risk of an aging workforce that supported it [ACIS] that could pote ntially walk out of door and we’ d have a lot of knowledge go at the same time. 440 Id. at 153. 441 Id. at 153 -54. 442 Id. at 19 -20; see also Mauldin Transcribed Interview at 21. 443 Payne Transcribed Interview at 22. 444 Id. at 19 -20. 445 Id. at 31. 73 Q. The original developers were still on st aff. How . . . many people are we talking about? A. A couple of people. 446 The ACIS system was extremely complex and had been modified many times. 447 When asked to explain the ACIS environment components , Payne testified : [W]hen we talk about a system obviously there’s a technology stack of applications, database, middleware, an d operating system and network . . . . In addition, just to add more complexity, ACIS had many different components as well. So there was a stack and there was many components, so it was w ide and deep in different ways. 448 Both the hardware and operating system supporting the ACIS platf orm were older, legacy technology. 449 Webb described legacy technology as “an environment that was aging, and . . . that was scheduled to be retired at a future date.” 450 The ACIS application was housed on servers in Equifax’s Alpharetta, Georgia data center m ade by the now -defunct company Sun Microsystems , which Equifax referred to internally as the “Sun servers. ”451 The Sun servers run the Solaris operating system, which is a mixed op en -source operating system developed by Sun Microsystems. 452 This means the operating system ran a custom combination of proprietary (closed source) and open source software. Apache Struts is an open -source web application framework. 453 Specifically, Apache Struts is middleware, which is a software that runs between an operating system and an application, and allows the applica tion to successfully run on the operating system. 454 According to Webb, “Apache Struts is used in a number of the legacy environments where [Equifax was] running applications on the Sun server pl atforms.” 455 He testified: Q. How widely was the Apache Struts software used within the Equifax organization? A. It was limited to the Sun s erver environment, and there were – we were down to – you have to realize that we were running thousands of servers , and we were down to less than 200 servers at that point 446 Payne Transcribed Interview at 31 -32. 447 Id. at 21. 448 Id. 449 Id. at 15, 19 -21. 450 Webb Transcribed Interview at 16. 451Id. Oracle acquired Sun Microsystems in 2010. See also Strategic Acquisitions: Oracle and Sun Microsystems , ORACLE , https://www.oracle.com/sun/index.html (last visited Oct. 4, 2018). 452 Payne Transcribed Interview at 21. 453 Webb Transcribed Interview at 16. 454 Middleware , TECHOPEDIA , https://www.techopedia.com/de finition/450/middleware (last visited Oct. 16, 2018). 455 Webb Transcribed Interview at 16. 74 in time. So Sun s ervers, I can’ t specifically tell you how many were running different versions of Strut s because there were many different versions of Struts. Q. Where were the Sun s ervers primari ly located? A. These servers were located in our data center in Alpharetta, Georgia. Q. Do you recall how many servers there are? A. It’ s less than 200 in total, in terms of Sun s ervers, but I don’t – I can’ t tell you how many were running Struts, or more specifically, how many were running the specific Struts version where the vulnerability occurred .456 3. Equifax Did Not Know What Software Was Used Within Its Legacy Environments As Webb’s testimony shows, Equifax did not have a comprehensive picture of the software used within the ACIS application. The company’s lack of knowledge about the software used within its legacy IT environment was a key factor leading to the 2017 data breach . Equifax’s Patch Management Policy relied on its employees to know the source and version of all software r unning on a certain application in order to manually initiate the patching process. Therefore, the lack of visibility regarding Apache Struts use in the Equifax environment greatly increased the likelihood an unpatched vulnerability could go unnoticed. Payne, who had ultimate responsibility for the ACIS environment, stated “at the time that the breach was announced, I wasn’t even aware that we were running Apache Struts in the particular environment.” 457 He testified he became aware Apache Struts was running on the ACIS platform on “July 30th, when Susan Mauldin called me to ask [for] my help in trying to get the system shut down.” 458 When asked how wide ly Equifax used Apache Struts software, Mauldin stated “I don’t know.” 459 Witnesses provided conflicting tes timony about whether Equifax kept a complete inventory of Apache Struts software use within t he company’s systems. Mauldin was not confident about whether a single registry tracking Apache Struts use was avai lable to all employees. She referenced the possibility of multiple inventory lists, saying the Security and IT teams kept separate lists. Mauldin testified: Q. Did Equifax have an inventory of this type of software? Wou ld it have been part of Equifax’ s software inventory? 456 Webb Transcribed Interview at 16 -17. 457 Payne Transcribed Interview at 12. 458 Id. at 13. 459 Mauldin Transcribed Interview at 30. 75 A. [I] think that there were various inventory li sts around, and I know that in S ecurity, we had our own list . . . . we h ad a list that we worked on. I’ m not sure what IT ha d. Q. Did you have different lists? A. I think that there were multiple lists around that people worked from. 460 Payne discussed an ongoing initiative to develop a comprehensive inventory of IT systems, including all components found within the techno logy stack for each system. 461 He stated “inventories existed, but they weren’t comprehensive. ”462 Regarding whether Equifax placed an appropriate amount of attention on asset management, Payne testified : So I can comment on the 2011 to 2014 period, so wher e I had responsibility for it. I think . . . there was investment going on because we had people and we had processes. But they weren’ t – we needed – in my view, we needed to do more and we had requested some additional investment do more, but we didn’ t get, initially anyway, we didn’ t get some of those requests funded. Over time we did start to invest more in IT asset management and discovery, but it was, a s I say, it was a complex area. Inve ntories existed, but they weren’t comprehensive and they di dn’ t contain all the data that you would like to have in terms of all the attributes of all the systems that are running . And it was particularly hard in these older systems, right, because you can – in a more modern system you have got agents and scanners that can actually gather that information because that sort of – the software is more – is known and some software can tagged and all sorts of things. If you are talking about custom built applications like ACIS, it is hard for those tools to e ven identify all t he components of those systems. So that makes it – that just adds another level of complexity. 463 4. Security Concerns Specific to the ACIS Legacy Environment The ACIS dispute system i s used by millions of consumers to challenge potentially incorrect information found within their Equifax credit report information which could result in an individual being denied a loan or receiving a higher interest rate. Equifax knew about the 460 Mauldin Transcribed Interview at 30 -31. 461 Payne Transcribed Interview at 26. 462 Id. at 27 -28. 463 Id. 76 security risks inherent in its legacy I T systems, but failed to prioritize security and modernization for the ACIS environment. 464 A Security employee identified six major security concerns for the ACIS environment in an August 17, 2017 email to Mauldin and Payne .465 Mauldin requested this assessm ent in preparation for an August 2017 meeting with senior leadership to discuss the data breach investigation .466 The six major security concerns, detailed below, were not newly discovered in August 2017 . In fact, the 2015 audit of patch management procedu res identified three of the six issues for action .467 Security Concern 1. There is no segmentation between the Sun application servers and the rest of the [Equifax] network. An attacker that gains control of the application server from the internet can pivot to any other device, database, or server within the [Equifax] network , globally. 468 Proper network segmentation “lays the groundwork for controls which protect against lateral movement on the network by malicious software and actors, preventing a potential infection or compromise from spreading across the network. ”469 If an a ttacker breaches the network perimeter of an organization with a flat, unsegmented network, they can move laterally throughout the network and gain access to critical systems or valuable data. 470 The 2015 audit found the legacy Solaris environments, includ ing ACIS, lacked proper segmentation. 471 According to interim CSO Russ Ayres, the ACIS application only needed access to three databases to function, but it was unnecessarily connected to many more. 472 Mandiant 464 See 2015 Patch Management Audit 3; Webb Transcribed Interview at 73 -74; Payne Transcribed Interview at 152. 465 Email from Francis Finley, Vice President Cyber Intelligence, Equifax, to Susan Mauldin, Chief Sec. Officer, Equifax (Aug. 17, 2017, 9:45:27 AM) (on file with Committee, EFXCONG -SSTOGR000078745 – EFXCONG - SSTOGR000078746). 466 Id. 467 2015 Patch Management Audit at 3 . Susan Mauldin, David Webb, and John Kelley are all listed as copied recipients of the report. 468 Email from Francis Finley to Susan Mauldin (Aug. 17, 2017). See also 2015 Patch Management Audit at 4. 469 FREDRIK LINDSTROM , A 10 -PART FRAMEWORK FOR IMPROVING SECURITY IN THE MODERN ENTERPRISE 1, 5 (2017), https://advisory.kpmg.us/content/dam/advisory/en/advisory -institute/pdfs/2017/network -segmentation - imperative.pdf . 470 The lack of proper network segmentation was a key factor leading to the 2015 data breach at the Office of Personnel Management. See MAJORITY STAFF OF H. COMM . ON OVERSIGHT & GOV ’T REFORM , 114 TH CONG ., THE OPM DATA BREACH : HOW THE GOVERNMENT JEOPARDIZED OUR NATIONAL SECURITY FOR MORE THAN A GENERATION 15 (Comm. Print 2016). 471 2015 Patch Managemen t Audit at 4. See also Equifax, ACIS Online Dispute Design Document (on file with Committee, EFXCONG -SSTOGR0000003552 -EFXCONG -SSTOGR0000003633). 472 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm. on Oversight & Gov’t Reform & H. Com m. on Science, Space & Tech. Staff (Oct. 19, 2017). 77 stated network segmentation would have mitigated the amount of data the attackers were able to access. 473 Both Mauldin and Payne testified they were unaware the ACIS environment lacked any segmentation prior to the incident occurring. 474 Mauldin stated: “[W] ould it have mitigated the attacker’ s action s? Yes , I think it would have.” 475 Security Concern 2. File Integrity Monitoring (FIM) is not in place on either the application or webservers, which would allow for alerting and detecting of any unauthorized changes within either environment. 476 File integrity monitoring (FIM) is a security process to detect whether operating system, database, and application software files have been tampered with. 477 The majority of external cyberattacks involve changes to IT systems and configurations. FIM detects and alerts to potentially unauthorized changes on the network, such as the installation of a web shell serving as a backdoor into the company’s system. 478 Mandiant stated FIM could have detected the creation of the 30 web shells within the Equifax network. 479 Mauldin testified she was un aware FIM was not in place within the ACIS environment. 480 Security Concern 3. The Sun systems have a shared file system across the environment that allows for access to any of the administrator files from one system to the next. This allows for any notes or configuration files from one system to be accessed from any other system. 481 File sharing across systems is a highly vulnerable practice, especially without properly set access permissions. 482 A system administrator should develop fil e access permissions to only allow the necessary, authenticated users to access certain files – especially configuration files which may contain sensitive security infor mation. Best practices dictate the “principle of least privilege,” which restricts the rights and access of a user to the minimal amount necessary to 473 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 474 Mauldin Transcribed Interview at 23; Payne Transcribed Interview at 38. 475 Mau ldin Transcribed Interview at 25. 476 Email from Francis Finley to Susan Mauldin (Aug. 17, 2017). 477 File Integrity Monitoring , BEYOND TRUST , https://www.beyondtrust.com/resources/glossary/file -integrity - monitoring/ (last visited Oct. 21, 2018). 478 Alert TA15 -314A: Compromised Web Servers and Web Shells – Threat Awareness and Guidance , US -CERT (last revised Aug. 9, 2017), https://www.us -cert.gov/ncas/alerts/TA15 -314A . 479 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, S pace, & Tech. Staff (Aug. 17, 2018). 480 Mauldin Transcribed Interview at 25. 481 Email from Francis Finley to Susan Mauldin (Aug. 17, 2017). 482 Dick Lewis, The 12 Commandments of File Sharing , IT PRO TODAY (Apr. 26, 2004), https://www.itprotoday.com/strategy/1 2-commandments -file -sharing . 78 perform their role. 483 In addition, account access across separate file systems should be limited and monitored. 484 An Equifax vulnerability tracker found the legacy Solaris operating system on one of the compromised ACIS servers “ accepts network file system (NFS) client requests from any source port . By requiring [NFS ] requests come from privileged source ports , the server can potentially avert attacks from systems on which the attacker does not have full administrative access.” 485 If Equifax had limited access to sensitive files across its systems, the attackers may not have found the stored application credentials used to access sensitive databases outside the ACIS environment. 486 Security Conce rn 4. Logging of the web servers is only retained for 14 days, and 30 days online, making it difficult, to impossible , to reconstruct any malicious activity. 487 A log is a record of the events occurring within an organization’s systems and networks. 488 Logs are essential for forensic investigations into security incidents because they allow the organiza tion to recreate the steps an attacker took within its networks. Logs are only useful as long as they are retained. Targeted advanced attacks to the financial sector take an average of 98 days to detect. 489 The National Institute of Standards and Technology (NIST) recommends retaining logs for high impact systems for three to twelve months. 490 Threat intelligence firm Crowdstrike similarly recommends three to twelve months, based on how useful the type of log data is for conducting an investigation. 491 Mauldin dismiss ed the importance of extended log retention for the internet -facing ACIS platf orm. She testified : A. Well, it’ s not nece ssarily too short. I think that . . . logs and the retention of them is always an ‘it depends ’ kind of an swer. It depends on . . . what they’ re used for and how much space they t ake and those kinds of things. So t here are vari ous strategies with logs and it’ s really, in my opinion, dependent on that environment. 483 Derek A. Smith, Controlling Unix and Linux Account Privileges: Nine Best Practices , BEYOND TRUST (Mar. 22, 2017), https://www.beyondtrust.com/blog/controlling -unix -linux -acco unt -privileges -9-best -practices/ . 484 Id. 485 Equifax, Vulnerability PCI Compliance Status 1, 24 (undated) (on file with Committee, EFXCONG - SSTOGR000111843) . 486 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space & Tech. Staff (Oct. 19, 2017). 487 Email from Francis Finley to Susan Mauldin (Aug. 17, 2017). 488 NAT ’L INSTITUTE OF STANDARDS & TECH ., SP 800 -92, GUIDE TO COMPUTER SECURITY LOG MANAGEMENT at ES -1 (2006), https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800 -92.pdf . 489 PONEMON INSTITUTE , ADVANCED THREATS IN FINANCIAL SERVICES 1, 6 (2015), http://pages.arbornetworks.com/rs/arbor/images/Ponemon_Advanced%20Threats%20in%20FS%20fnl.pdf . 490 NIST S P 800 -92 at 4 -6. 491 Matt Churchill, The Importance of Logs , CROWDSTRIKE BLOG (Dec. 16, 2015), https://www.crowdstrike.com/blog/the -importance -of-logs/ . 79 Q. Well, depending on this ACIS environment, external -facing, is 14 days/30 days sufficient, in terms of – A. I think it certainly could be sufficient. 492 Due to the sensitivity of the d ata accessed by the ACIS system and the system’s connection to the internet, much of the security industry would disagree with Mauldin’s conclusion. Mandiant also recommended Equifax expand and improve its logging capability. 493 Security Concern 5. A complete software inventory of the resources used within the application is not maintained. This requires a complete code review to identify any potential weaknesses, rather than rapid identification of individual component vulnerabilities, as the indi vidual open source components are not well understood or documented. 494 The lack of a comprehensive asset inventory was also documented in the 2015 audit .495 The audit specifically found: A comprehensive IT asset inventory does not exist nor does accurate network documentation. A global view of the IT infrastructure does not exist across the organization. The lack of an accurate asset inventory makes it difficult to ensure all assets are adequately patched and configured. It also makes it difficult for [Secu rity] to ensure [they are] vulnerability scanning all assets. Without a firm understanding of the status of all IT assets, ensuring the security and stability of Equifax systems is extremely difficult. 496 W hen questioned , Mauldin seemed to dismiss the impo rtance of a comprehensive inventory for the Security team despite the 2015 audit finding. Mauldin stated the lack of an inventory wou ld not necessarily prevent the S ecurity te am from “doing our job properly .”497 She testified: Q. Are you surprised . . . the re’ s not a complete inventory in this type of environment? A. I wouldn’t say that I’ m surprised, no, not nec essarily. But that – that would not, from a security perspective, keep us from doing our job properly. 492 Mauldin Transcribed Interview at 28. 493 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. on Science, Space, & Tech. Staff (Aug. 17, 2018). 494 Email from Francis Finley to Susan Mauldin (Aug. 17, 2017). See also 2015 Patch Management Audit at 5. 495 2015 Patch Management Audit at 5. 496 Id. 497 Mauldin Transcribed Interview at 28. 80 Q. Wouldn’ t you have to know, though, that [the] Apache Struts software was operating in th is environment, and if you didn’t have an inventory, you wouldn’ t know? A. Well, we mi ght not know, but, again, I don’ t think that not knowing that would prevent us from doi ng the right things from a security point of view .498 It is critical for a n organization to know what assets are present within its IT environments to make accurate and informed risk determinations – such as when, and how, to patch a vulnerable system . As the Office of Personnel Management’s Inspector General warned prior to the 2015 OPM data breach, “failure to maintain an accurate inventory undermines all attempts at securing OPM’s information systems.” 499 Responsibility for the proper management of IT ri sk must be shared between the IT and Security teams. It was Security’s responsibility to detect vulnerabilities present within the Equifax environment. Security was unable to do this for ACIS because Equifax did not keep track of the presence of Apache Str uts within the ACIS application. Therefore, the lack of a comprehensive inventory did prevent Security from properly doing its job. Security Concern 6. Consistent and timely patching of [the legacy Sun/Solaris] systems as a general observation is a concern. 500 Equifax knew its patch management process was ineffective. 501 The 2015 Patch Management Audit concluded “vulnerabilities were not remediated in a timely manner,” and “systems were not patched in a timely manner.” 502 In short, Equifax recognized the patching process was not being properly implemented, but failed to take timely corrective action. *** Mauldin stated Equifax was in the process of making the ACIS application Payment Card Industry (PCI) Data Security Standard (DSS) compliant when the d ata breach occurred .503 PCI DSS requirements apply to any entity that store s, process es, and /or transmit s cardholder data. 504 PCI preparation, which would have largely addressed the security concerns flagged in the 498 Id. at 2 8-29. 499 See MAJORITY STAFF OF H. COMM . ON OVERSIGHT & GOV ’T REFORM , 114 TH CONG ., THE OPM DATA BREACH : HOW THE GOVERNMENT JEOPARDIZED OUR NATIONAL SECURITY FOR MORE THAN A GENERATION 14 (Comm. Print 2016). 500 Email from Francis Finley to Susan Mauldin (Aug. 17, 2017). See also 2015 Patch Management Audit at 3 -4. 501 2015 Patch Management Audit at 3. 502 Id. at 3 -4; see infra , Chapter 5, subsection B.2.b., 2015 Patch Management Audit Chart at Finding 4. 503 Mauldin Transcribed Interview at 25 -26. 504 PCI SECURITY STANDARDS COUNCIL , PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD VERSION 3.2.1 (2018), https://www.pcisecuritystandards.org/documents/PCI_DSS_v3 -2- 1.pdf?agreement=true&time=1538841225498 . 81 employee’s email to Mauldin , began in August 2016 and was scheduled to be completed by August 2017. 505 PCI DSS compliance re quirements include : the use of file integrity monitoring ;506 strong access control measures; 507 retention of logs for at least one year, with the last three months of logs immediat ely available for analysis; 508 installation of patches for all known vulnerabilities; 509 and maintenance of an up -to-date inventory of system components. 510 Mauldin testified the PCI DSS implementation “plan fell behind and these items did not get addressed.” 511 She stated : A. The PCI preparation star ted about a year before, but it’ s very comple x. It was a very complex – very complex environment. Q. A year before, you mean August 2016? A. Yes, in that timeframe. Q. And it was scheduled to be complete by August 2017? A. Right. Q. But it fell behind? A. It fell behind. Q. Do you know why? A. Well, what I recall from the application team is that it was very complicated, and they were having – it just took a lot longer to make the changes than they thought. And so they just were not able to get everything ready in time. 512 5. Modernization Efforts Underway at the Time of the Breach Equifax recognize d the inherent security risks created by conti nued opera tion of its legacy IT systems. 513 For example, Equifax decided to build out completely new systems rather 505 Mauldin Transcribed Interview at 25 -26. 506 PCI D SS v.3.2.1 at 103 -4 (requirement 11.5). 507 PCI DSS v.3.2.1 at 66 (requirement 7.1). 508 PCI DSS v.3.2.1 at 94 (requirement 10.7). 509 PCI DSS v.3.2.1 at 54 (requirement 6.2). 510 PCI DSS v.3.2.1 at 34 (requirement 2.4). 511 Mauldin Transcribed Interview at 25 -26. 512 Id. at 26. 513 Payne Transcribed Interview at 31 -32. 82 than continue to reactively implement new security methodologies and tools – some of which were not compatible – into the lega cy systems. 514 Payne testified: [T] rying to apply a lot of these security methodologies, approaches, tools, and technologies and so on… it’ s like trying to repair an old house, right? . . . [Y] ou can work on maybe one room at a time, maybe you can have a plan of where yo u want to ge t to, but really the best thing’ s probably just to knock down the house and start building again. And that was sort of the a pproach we were taking, right? We were building out new systems. We were building out new data centers. That was really going to be the ultimate way that you would – we would address what – the technology debt that had been sort of inherited, but . . . you do the best you can to put in place all the controls you could. 515 Prior to the 2017 data breach, Equifax was building out a modernized software -defined data center in Carrollton, Texas under the name Project Bluebird. 516 In 2015, Webb initiated Project Bluebird to migrate all of th e company’s applications off the legacy Sun servers because “threat vectors were changing too quickly and this [was] one way to mitigate risk.” 517 The new data center had “high degrees of automation and orchestration built into it . . . to address some of these modernization challenges [Equifax] had.” 518 Webb, Payne, and Mauldin were all significantly involved with the planning and operation of Project Bluebird. Equifax planned to move the ACIS application from the legacy servers to the Bluebird data center. W hen attackers infiltrated the Equifax network through the ACIS portal in 2017, the applicati on was still operating on the legacy Sun servers. Webb testified: So within Equifax, w e really had two environments. We had the next -generation environment, which was what we called Bluebird earlier, which was essentially s tate of the art and brand new. And then we had the legacy environments that were sitting with things that we knew we were going to move over. And there was a plan to move it over within – the total thing was probably another 3 to 5 years to get everything from leg acy into the state o f the art. Of cour se, by the tim e you move it, it’s now legacy. So that’s the – that’ s the joy of being in technology. 519 Webb testified regarding additional challenges with the modernization initiative Project Bluebird. He stated: 514 Id. at 152. 515 Id. 516 Webb Transcribed Interview at 73 -74. 517 Id. 518 Payne Transcribed Interview at 82. 519 Webb Transcribed Interview at 84. 83 Q. What was the biggest impediment to moving the legacy over? A. Ensu ring that the application doesn’ t break when you move it, because old technologies can be difficult to port or to refactor. Q. What about cost concerns? A. It was not a cost concern. It was – really, if there is a – if there’s a constraint, it’ s the domain expertise required to refactor the application, because you need experts who understand what the application does in order to put it in a new environment and do the same thing. 520 In addition to the infrastructure migration, Equifax was building a replacement for the ACIS set of systems called the Consumer Care Management System (CCMS). 521 The CCMS project was underway prior to 2014 , enduring multiple delays as the company prioritized t he completion of other initiatives .522 Payne testified: So there were definitely risks associated with the ACIS environment that we were trying to remediate an d that’ s why we were doing the CCMS upgrade. One of the biggest issues with ACIS was that, again, it was designed back [in the 1970s] to com ply with the [Fair Credit Reporting Act]. Since then states, many, many s tates have created their own legislation regarding disputes and disclosures, and . . . these [rules] would change frequently. So every time we had a change in the rules, the legislation, we had to modify the system. And because the way the system was originally built, these rules were hard coded into the system. So we had to get in and modify the system. It was just – it was time con suming, it was risky . . . and also we were lucky that we still had the original developers of the system on staff. So all of those were risks that I was concerned ab out when I came into this role. And security was probably also a risk, but it wasn’ t the primary driver. The primary driver was to get off the old system because it was just hard to manage and maintain. 523 *** Every organization must decide its tolerance for risk. To manage risk, organizations should understand the likeli hood an event will occur and its potential effect s. Major security 520 Webb Transcribed Interview at 85. 521 Payne Transcribed Interview at 29. 522 Id. at 29 -30. 523 Id. at 31 -32. 84 investments are not necessarily required at an equal level across the enterprise, but b usiness critical systems and extremely sensitive data do require greater levels of care due to the potential high degree of harm to the business and its consumers. Equifax was moving in the correct direction with Project Bluebird and CCMS , as the company began to recognize the risks posed by continued operation of its legacy IT systems . T he company , however, did not move quickly enough because Equifax was still operating the ACIS platform on the legacy environment at the time of the breach in 2017. 85 VI. Equifax Remediation Efforts Following the discovery of the breach and immediate actions taken to stop the unauthori zed acc ess and exfiltration, Equifax’s focus turned to remediation. Equifax took several actions in the aftermath of the breach to remediate its security weaknesses. A. Mandiant’s Remedial Recommendations On September 19, 2017, Mandiant released a report detailing its findings from the forensic rev iew of the breach. Mandiant concluded attackers had access to the Equifax system from May 13, 2017 until July 30, 2017. During this timeframe, attackers compromised two systems supporting the ACIS portal and multiple data base tables. The attackers used thirty unique web shells and other reconnaissance efforts to access and exfiltrate data. Mandiant initially concluded 143 million U.S. consumers had their PII compromised as a resu lt of the breach. Mandiant’s report containe d eleven remedial recommendations for Equifax: 1. Enhance vulnerability scanning and patch management processes and procedures ; 2. Reduce the scope of sensitive data retained in backend databases ; 3. Increase restrictions and controls for accessing data housed wi thin critical databases ; 4. Enhance network segmentation, to restrict access from internet facing systems to backend databases and data stores ; 5. Deploy additional web application firewalls and tuning signatures to block attacks ; 6. Accelerate the deployment of fi le integrity monitoring technologies on application and web servers ; 7. Enforce additional network, application, database, and system -level logging ; 8. Accelerate deployment of a privileged account management solution ; 9. Enhance visibility for encrypted traffic by deploying additional inline network traffic decryption capabilities ; 10. Deploy additional endpoint detection and response agent technologies ; and 11. Deploy additional email protection and monitoring technologies .524 After ensur ing the attackers no longer had access to Equifax systems, Equifax turned to implementing these remedial recommendations. On October 3, 2017, the day after the Mandiant 524 Mandiant, Mandiant Report 3 (2017) (on file with Committee). 86 investigation concluded, former CEO Richard Smith appeared before a House Energy and Co mmerce Subcommittee regarding Equifax’s remediation effort s. Smith testified : In recent weeks, vulnerability scanning and patch management processes and procedures were enhanced. The scope of sensitive data retained in backen d databases has been reduced so as to minimize the risk of loss. Restrictions and controls f or accessing data housed within critical databases have been strengthened. Network segmentation has been increased to restrict access from internet facing systems t o backend databases and data sto res. Additional web application firewalls have been deployed, and tuning signatures designed to block attacks have been added. Deployment of file integrity monitoring tech nologies on application and web servers has been acce lerated. The company is also imp lementing additional network, application, database, and system -level logging. These are just a few of the steps Equifax has taken in recent weeks to s hore up its security protocols. Importantly, Equifax’s forensic consult ants have recommended a series of improvements that are being installed over the next 30, 60, and 90 day period s, which the company was in the process of implementing at the time of my retirement. In addition , at my direction a well -known, independent expe rt consulting firm (in addition to and di fferent from Mandiant) has been retained to perform a top -to-bottom assessment of the company’s information security systems. 525 Susan Ma uldin testified about Mandiant’s eleven remediation recommendations . She stated :

A. So, yes, several of these were underway and were things that we were already wor king on with security program. Some of these got accelerated and . . . were able to, it looks like, get a boost as a result of having Mandiant and additional resources to get those implemented. Q. When you say accelerated, is that accelerated as of July 2017 or prior to that? A. What I was referring to is, after Mandiant came in to assist with the investigation, they were able to add resources to help us get some of these things finished more quickly than we wo uld have done in our . . . own natural timeline. 526 In another portion of her testimony, Mauldin testi fied about an email from one of her 525 Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Dig ital Commerce & Consumer Prot. o f the H. Comm. on Energy & Commerce , 115 th Cong. (2017) (pr epared written statement of Richard Smith, Former Chief Exec. Officer, Equifax). 526 Mauldin Transcribed Interview at 132. 87 direct reports detailing security concerns with the ACIS environment. 527 Most of the se security concerns match up with one of Mandiant’s remedial recommendations . For example , Mauldin’s employee found the lack of segme ntation between the application servers and the rest of the network could allow an attacker to gain control of the application server and pivot anywhere else on the Equifax network. 528 This c orresponds to Mandiant’s recommendation to enhance network segmenta tion. 529 The employee found the lack of file integrity monitoring presented a security issue for Equifax. 530 This corresponds to Mandiant’s recommendation to accelerate deployment of file integrity monitoring technologies. 531 The same employee found the short du ration for which web server logging was kept posed a challenge to reconstructing malicious activity. 532 Mandiant recommended enforcing additional logging in its seventh recommendation. 533 David Web b confirmed several of Mandiant’s recommendations were unde rway prior to the breach. He stated: There were significant efforts underway, really to overhaul the entire infrastructure. So, as I mentioned earlier, we had – it was a project called Bluebird, and it was really a software -defined data center which was addressing many of these things. And, again, the intent was to address these issues as part of that infrastructure overhaul. 534 In August 2018, Mandia nt and Equifax officials confirmed Equifax implemented all eleven of the remedial recommendations. 535 B. 2018 Consent Order with State Regulatory Agencies In ad dition to the remedial recommendations from Mandiant, on June 25, 2018, Equifax agreed t o take several actions under a C onsent Order entered into with regulatory agencies from eight states. Under the 2018 Consent O rder, Equifax agreed its Board of Directors would approve a written risk assessment within 90 days containing: (1) foreseeable t hreats and vulnerabilities to PII; (2) likelihood of threats; (3) potenti al damage to business operations; and (4) safe guards and mitigating controls addressing each threat and vulnerability. 536 Within 30 days of the 2018 Consent O rd er, Equifax had to improve its a udit function and establish a formal and documente d internal a udit program capable of evaluating information tec hnology controls. 537 527 See generally Mauldin Transcribed Interview at 22 -30. 528 See infra , Chapter 5, subsection C.4. Email from Francis Finley to Susan Mauldin (Aug. 17, 2017) . 529 Mandiant, Mandiant Report 3 (2017) (on file with Committee). 530 Email from Francis Finley to Susan Mauldin (Aug. 17, 2017). 531 Mandiant, Mandiant Report 3 (2017) (on fil e with Committee). 532 Email from Francis Finley to Susan Mauldin (Aug. 17, 2017). 533 Mandiant, Mandiant Report 3 (2017) (on file with Committee). 534 Webb Transcribed Interview at 73. 535 Briefing by Mandiant, to H. Comm. on Oversight & Gov’t Reform & H. Comm. o n Science, Space, & Tech. Staff (Aug. 17, 2018). 536 EQUIFAX , INC ., CONSENT ORDER (2018), https://www.dfs.ny.gov/about/ea/ea180627.pdf. 537 Id. 88 Equifax ag reed to improve oversight of its information security p rogram within 90 days by , among other th ings, reviewing and approving information technology and information security policies. 538 Within this same timeframe, Equifax agreed to impr ove oversight of critical vendors to ensure information is safeguarded. 539 The 2018 Consent Order required Equifax to improve the standards and controls for patch management .540 The 2018 Consent O rder stipulated, “[a]n effective patch management prog ram must be implemented to reduce the number of unpatched systems and instances of extend ed patching time frames.” 541 To do so, Equifax agreed to: (1) develop a comprehensive information technology asset inventory; (2) formalize a process to routi nely identi fy necessary patches; (3) create an action plan for decommissioning legacy systems; and (4) formalize its Patch Management Policy. 542 The 2018 Consent Order patch management action items mirror the first remedial recommendatio n from Mandiant, recommending Equifax enhance its patch management procedures and processes. 543 Several items in the 2018 Consent Order also mirror recommendations from a 2015 internal patch management audit at Equifax .544 The 2015 audit recommended retiring legacy systems as quickly as p ossible, implementing automated tools to patch systems in a timely manner, creating a proactive patching program, an d putting together a comprehensive IT asset inventory. 545 Equifax agreed in the 2018 Consent Order to increase the oversight of the disaster recovery and bus iness continuity functions of IT operations. 546 Equifax must provide written reports detailing its progress towards compliance with the Consent Order. 547 Regarding the 2018 Consent Order, Graeme Payne testified : I did se e the state [Attorney s General] settlement they had and read all the things they committed to, and I wish them good luck, because ther e’s a lot in there that is going to require a lot of investment and a lot of effort to build the things I think that they agreed to do in that. 548 C. GAO Findings On August 30, 2018, GAO published a report detailing Equifax ’s information security remediation activities to date . Following the breach, GAO found Equifax took both system -level 538 Id. 539 Id. 540 Id. 541 Id. 542 Id. 543 Mandiant, Mandiant Report 3 (2017) (on file with Committee). 544 2015 Patch Management Audit at 3 -8. 545 Id. 546 EQUIFAX , INC ., CONSENT ORDER (2018), https://www.dfs.ny.gov/about/ea/ea180627.pdf. 547 Id. 548 Payne Transcribed Interview at 154. 89 remediation measures and broader programmatic measures. 549 The GAO draft report findings were based on public Equifax SEC filings and information provided to GAO by Equifax officials. Equifax put in place system -level remediation measures to address the weaknesses that led to the breach. In the GAO report, Equifa x offic ials identified five major areas of weaknesses which contributed to the breach: 1. Software updates ; 2. Software configuration ; 3. Access controls ; 4. Network monitoring ; and 5. Boundary protection .550 To address the fact software updates were not properly managed leading to the Apache Struts patch not being applied , GAO wrote “Equifax reportedly implemented a new management process to identify and patch software vulnerabilities and confirm that vulnerabilities had been addressed.” 551 To address weak configura tion management , which prevented scanning tools from detecting the Apache Struts vulnerability , GAO reported “Equifax stated that they upgraded or eliminated vulnerable legacy systems and implemented a new endpoint security system to detect misconfiguratio ns, evaluate potential indications of compromise, and automatically notify system administrators of identified vulnerabilities.” 552 Equifax agreed to address weak access controls which allowed the intruders to run numerous queries and access files with PII by implementing “a new security controls framework and tighter controls on accessing specific systems, applications, and networks.” 553 According to GAO, a misconfigured monitoring device allo wed encrypted web traffic to go uninspected through the Equifax network. 554 To prevent this from happening again, GAO reported Equifax developed new policies and implemented new tools to ensure network traffic is monitored continuously. 555 To address weak boun dary protections , which allowed access to the various databases, Equifax implemented additional controls at its external boundary to monitor communications and further restricted traffic between internal servers. 556 549 DRAFT GAO Equifax Data Breach Report at 18 -19 (August 2018) (on file with the Committee) . Five areas were initially identified and then later revised in the final GAO Report . 550 Id. at 17. 551 Id. 552 Id. 553 Id. 554 Id. at 13 -14. GAO reported the misconfiguration was due to SSL certificates which had expired ten months before the breach occurred. However, documents show the certificates were expired for approximately 19 months prior to the breach. See infra , Chapter 3 , su bsection B. 555 DRAFT GAO Equifax Data Breach Report at 13 -14. 556 Id. 90 According to GAO, Equifax implemented bro ader programmatic measures. One of these measures was changing the reporting structure of the CSO. 557 The C ISO (formerly known as the CSO) now reports directly to the CEO to allow for greater visibility into cybersecurity risks by top m anagement .558 D. Remediation Steps Reported to SEC Equifax’s 2017 annual SEC ( 10 -K) filing show s the company has taken a variety of remediation steps to address the weaknesses identified during the breach investigation. 559 In its 10 -K filing , Equifax stated, “The Company ha s taken and continues to take extensive steps designed to prevent this type of incident from happening again and to earn back the trust of consumers, customers and regulators.” 560 The report continued: Following the cybersecurity incident, we began undertak ing significant steps to enhance our data security infrastructure. In connection with these efforts, we have incurred significant costs and expect to incur additional significant costs as we take further steps to prevent unauthorized access to our systems and the data we maintain. The actions we have taken are based on our investigation of the causes of the cybersecurity incident, but there will be additional changes needed to prevent a similar incident. We have also enhanced our disclosure controls and procedures and related protocols to specifically provide that cyber incidents are promptly escalated and investigated and reported to senior management, and where appropriate, to the Board of Directors. We also engaged an independent outside consulting firm to help us with both strategic remediation activities and to review our cybersecurity framework, our controls framework and our management and employee s’ roles and responsibilities. 561 E. Equifax’s Updated Approach to Cybersecurity In its 2018 Annual Proxy Statement to investors , Equifax reported on how its Board of Directors was enhancing Board oversight in an effort to strengthen Equifax’s cybersecurity posture. 562 Th e enhanced Board o versight includes (see Figure 14) : 557 Id. 558 Id. 559 Equifax , 2017 Annual Report (Form 10 -K) (Mar. 1, 2018), https://investor.equifax.com/~/media/Files/E/Equifax - IR/Annual%20Reports/2017 -annual -report.pdf . 560 Id. at 3. 561 Id. 562 EQUIFAX , NOTICE OF 2018 ANNUAL MEETING AND PROXY STATEMENT 27 (2018) , https://investor.equifax.com/~/media/Files/E/Equifax -IR/Annual%20Reports/2018 -proxy -statement -web.pdf. 91 Figure 14: Equifax Board of Directors Enhanced Oversight Plan Equifax has increased IT an d cybersecurity spending post -breach. In November 2017, interim CEO Pau lino do Rego Barros stated Equifax increased security spending fourfold sin ce the breach was discovered. 563 Equifax reported $221.5 million in costs related to the cybersecurity incident through the first nine months of 2018 (see Figure 15 ).564 (in millions) Three Months Ended September 30, 2018 Nine Months Ended September 30, 2018 Technology and data security $ 92.6 $ 193.2 Legal and investigative fees 16.1 61.4 Product liability 7.8 11.9 Insurance recoveries — (45.0) Total $ 116.5 $ 221.5 Figure 15 : 2018 Equifax Costs Related to Cybersecurity Incident 563 Jennifer Surane, Equifax Is Haunted By Its Costly Cyber Attack , BLOOMBERG (Nov. 9, 2017), https://www.bloomberg.com/news/articles/2017 -11 -09/equifax -haunted -by -cyber -attack -as-costs -jump -lawsuits - abound . 564 Press Release, Equifax, Equifax Releases Third Quarter 2018 Results (Oct. 24, 2018), https://www.prnewswire.com/news -release s/equifax -releases -third -quarter -2018 -results -300737406.html . 92 Comparatively, Susan Mauldin testified the annual budget for the Security team at the time she left Equifax in September 2017 was $38 million .565 F. Equifax Officials on Remediation Following his appointment as Equifax’s new CEO, Mark Begor told news outlets, “We didn’t have the right defenses in place, but we are investing in the business to protect this from ever happening again.” 566 All three witnesses the Committee interviewed state d they believed Equifax properly invested in security. 567 When asked about Begor’s quote, Payne stated: I think – look, there were a lot of gaps , I think . . . that we were aware of and we were working on, right? So . . . it wasn’ t a matter of not having defenses in place. I think it was . . . a lot of the right things were being done. The problem was they weren’ t necessaril y comprehensive enough, right? We had an asset inventory, yes , but it wasn’ t comprehensive. We had a patching process, but it didn’t – it wasn’ t thorough enough, or i t wasn’ t comprehensive enough. It didn’ t – we had notifications, but we didn’ t notify the people – everyo ne that needed to be notifie d . . . [W] e had scanning, but it didn’ t s can all the things . . . so it’ s n ot as if th ose defenses weren’ t in place .568 Webb stated Equifax’s failure to prevent this data breach was not a spending issue, but rather it was a failure of execution . He testified: A. Again, at the end of the day, we were spending a significant amount of dollars. We had t he tools and the capabilities. Whether the people and process components were working is the thing that needs to be evaluated, not the spend. Q. Right, but if you were spending appropriately o n the IT and security, why didn’ t any of the security tools that you had detect this cyber attack? A. The tools also require people and process to operate and to function properly. 569 565 Mauldin Transcribed Interview at 16. 566 Ken Sweet, Equifax Hires Financial Executive Mark Begor as New CEO, U.S. NEWS (March 28, 2018), https://www.usnews.com/news/business/articles/2018 -03 -28 /equifax -names -mark -begor -as-its-ceo . 567 See Mauldin Transcribed Interview at 150; Payne Transcribed Interview at 158 -159; Webb Transcribed Interview at 15 -16. 568 Payne T ranscribed Interview at 151 . 569 Webb Transcribed Interview at 57. 93 Mauldin testified about what Equifax could have done better to prev ent the breach. She state d:

I th ink we had a lot of good work. This was a very unfortunate incident, and I know I deeply regret it, as many do. But I think it just simply – for me, it underscores the importance of staying aware and staying vigilant, stay ing ahead of the threat actor. They are so sophisticated and so well -funded that every company has to be continuously on its t oes and pushing ahead . . . vigorously to get things done, get plans completed, and so forth. It just underscores the importance o f that for me. 570 570 Mauldin T ranscribed Interview at 142 -43 . 94 VII. Recommendations Recommendation 1: Empower Consumers through Transparency Consumer reporting agencies should provide more transparency to consumers on what data is collected and how it is used. A large amount of the public’s concern after Equifax’s data breach announcement stemmed from the lack of knowledge regarding the extensi ve data CRAs hold on individuals. CRAs must invest in and deploy additional tools to empower consumers to better control their own data. For example, CRAs should offer consumers a free, simple summary explaining the data collected on the individual. The su mmary should include the number of times the CRA provided their data to a business within the last year. The summary should be available for consumers to view at any time, outside of the annual free credit report offer. This would allow consumers to track the information CRAs have on them and know how often their information was being shared . Credit report locks and freezes give consumers increased control of their data. CRAs are required to offer free credit freezes to all consumers. 571 None of these transparency measures, including credit freezes, should require a consumer to sign up for additional services or make any other commitment. Recommendation 2 : Review Sufficiency of FTC Oversight and Enforcement Authorities Currently, the F TC uses statutory authority under Section 5 of the Federal Trade Commission Act to hold businesses accountable for making false or misleading claims about their data security or failing to employ reasonable security measures. Additional oversight authoriti es and enforcement tools may be needed to enable the FTC to effectively monitor CRA data security practices, both prior and subsequent to a breach occurring , and incentivize CRAs to adequately safeguard the consumer data they store . Recommendation 3: Revi ew Effectiveness of Identity Monitoring and Protection Services Offered to Breach Victims GAO should examine the effectiveness of current identity monitoring and protection services and provide recommendations to Congress. I n particular , GAO should review the length of time that credit monitoring and protection services are needed after a data breach to mitigate identity theft risks. Equifax offered free credit monitoring and protection servic es for one year to any consumer who reques ted i t. A variety of opinions were provided to the Committee about both the value of credit monitoring services and the recommended length of time the protection should be provided. This GAO study would help clarify the value of credit monitoring services and t he length of time such services should be maintained . The GAO s tudy s hould examine alternatives to credit monitoring services and identify addit ional or complimentary services to enhance the protections offered by credit monitoring services. 571 The Economic Growth, Regulatory Relief, and Consumer Protection Act, Pub. L. No. 115 -174 (2018). 95 Recommend ation 4 : Increase Transparency of Cyber Risk in Private Sector Federal agencies and the private sector should work together to increase transparency of a company’s cybersecurity risks and steps taken to mitigate such risks. One example of how a private entity can increase transparency related to the company’s cyber risk is by making disclosures in its SEC filings. In 2011, the SEC developed guidance to assist companies in disclosing cybersecurity risks and incidents. According to the SEC guidance, if cyb ersecurity risks or incidents are “sufficiently material to investors” a private company may be required to disclose the information in registration statements, financial statements, and 8 -K forms. Equifax did not disclose any cybersecurity risks or cybers ecurity incidents in its SEC filings prior to the 2017 data breach. Federal agencies , such as the SEC, should continue to encourage the public disclosure of cyber risks to increase awareness of a company’s cybersecurity posture. Recommendation 5 : Hold Federal Contractors Accountable for Cybersecurity with Clear Requirements The Equifax data breach and federal customers ’ use of Equifax identit y validation services highlight the need for the federal government to be vigilant in mitigating cybersecurity r isk in federal acquisition. The Office of Management and Budget (OMB) should continue efforts to develop a clear set of requirements for federal contractors to address increasing cybersecurity risks, particularly as it relates to handling of PII . There sho uld be a government -wide framework of cybersecurity and data security risk -based requirements. In 2016, the Committee urged OMB to f ocus on improving and updating cybersecurity requirements for f ederal acquisition. 572 Notably, several acquisition rules an d clauses were finalized in 2016 to address cybersecurity requirements for federal contractors. 573 The National Archives and Records Administration (NARA) finalized a rule providing direction to agencies on how to handle and secure Controlled Unclassified Information (CUI), such as PII. 574 The CUI program was established to standardize processing and handling of unclassified sensitive types of information agencies and their contractors handle. In March 2019, a notice of proposed rulemaking for the related acq uisition rule with contract clauses for CUI handling is expected. 575 The Committee again urges OMB to expedite development of a long -promised cybersecurity acquisition memorandum to provide guidance to federal agencies and acquisition professionals. 576 572 MAJORITY STAFF OF H. COMM . ON OVERSIGHT & GOV ’T REFORM , 114 TH CONG ., THE OPM DATA BREACH : HOW THE GOVERNMENT JEOPARDIZED OUR NATIONAL SECURITY FOR MORE THAN A GENERATION 24 (Comm. Print 2016). 573 81 Fed. Reg. 30,439 (May 16, 2016); see also 81 Fed. Reg. 72, 986 (Oct. 21, 2016). 574 81 Fed. Reg. 63,324 (Sept. 14, 2016); CUI Category: Sensitive Personally Identifiable Information , NARA , https://www.archives.gov/cui/registry/category -detail/sensitive -personally -identifiable -info (last visited Nov. 4, 2018). 575 Federal Acquisition Regulation; FAR Case 2017 -016, Controlled Unclassified Information (RIN: 9000 -AN56) , OFFICE OF INFORMATION AND REGULATORY AFFAIRS , https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201810&RIN=9000 -AN56 (last visited Nov. 4, 2018). 576 See Letter from Mick Mulvaney, Director, Office of Mgmt. & Budget, to Will Hurd, Chairman, Subcomm. on Info. Tech., H. Comm. on Oversight & Gov’t Reform (July 24, 2017) (on file with Committee). 96 In t he interim, f ederal agencies should use existing tools to hold contractors accountable for cybersecurity. For example, agencies should consider proactively conducting oversight of contractors’ cybersecurity practices/risk, examining contractors’ past perfo rmance information, building cybersecurity requirements into evaluation factors, and using the suspension and debarment mechanism. Equifax provided identity verification services to three federal agencies and these agencies took action in the aftermath of the data breach. 577 The Internal Revenue Service (IRS), Social Security Administration (SSA), and the U.S. Postal Service (USPS) all made site visits to Equifax’s data center in Alpharetta, GA to review security controls. 578 SSA assessed Equifax’s compliance w ith NIST security baseline controls and shared this information with the IRS and USPS. 579 Recommendation 6: Reduce U se of Social Security Numbers as Personal Identifiers The executive branch should work with the private sector to reduce reliance on Social Security numbers. Social Security numbers are widely used by the public and private sector to both identify and authenticate individuals . A uthenticators are only useful if they are kept conf idential. Attackers stole the Social Security numbers of an estimated 145 million consumers from Equifax. As a result of this breach, nearly half of the country’s Social Security numbers are no longer confidential. To better protect consumers from identity theft, OMB and other relevant federal agencies should pursue emerging technology solutions as an alternative to Social Security number use. Recommendation 7: Implement Modernized IT Solutions Companies storing sensitive consumer data should transition away from legacy IT and implement m odern IT security solutions . Equifax failed to modernize its IT environments in a timely manner. The complexity of the legacy IT environment hosting the ACIS application allowed the attackers to move throughout the Equifa x network and obtain access to unrel ated consumer PII. Equifax’s legacy IT was difficult to scan , patch , and modify . The Committee has emphasized the important security benefits of modernized IT solutions for federal agencies. The Committee passed the Mode rnizing Government Technology Act to incentivize federal agencies’ implementation of new technology by allowing agencies to reinves t IT modernization savings. Private sector companies , especially those holding sensitive consumer data like Equifax , must prioritize investment in modernized tools and technologies. 577 GAO Equ ifax Data Breach Report at 18 . 578 Id. at 22 -23. 579 Id.

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!