Published Date: 2017-09-07
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident at Equifax happened in May 2017 [Article 62849, Article 62931, Article 63964]. 2. The breach was detected on July 29, 2017 [Article 62931, Article 63964]. 3. The breach was disclosed on July 29, 2017 [Article 64029]. 4. The breach was noticed on July 29, 2017, and the web application was disabled on July 30, 2017 [Article 64029]. 5. The breach was identified on July 29, 2017, and Equifax learned about the problem two days later [Article 63964]. 6. The breach was discovered in July 2017 [Article 64175]. 7. The breach occurred between May 13 and July 30, 2017 [Article 64029]. 8. The breach was discovered in July 2017, and Equifax learned about the problem two days later [Article 63964]. 9. The breach was discovered in July 2017, and Equifax learned about the problem two days later [Article 64029]. 10. The breach was discovered in July 2017, and Equifax learned about the problem two days later [Article 64031]. |
| System | 1. Apache Struts web-application software [62849, 62931, 62949, 63172, 64175] 2. Equifax's patch management controls [73036] 3. Expired software certificate linked to crucial software monitoring network traffic [78900] 4. Unpatched vulnerability in Equifax's online dispute portal software [95961] |
| Responsible Organization | 1. Equifax's security officials were responsible for causing the software failure incident by failing to patch the known vulnerability in the Apache Struts software [62849, 62931, 62949, 64029, 64031, 64175]. 2. Equifax's former CEO, Richard Smith, acknowledged human error and technology failures within the company that contributed to the breach [64029, 64031]. 3. A single Equifax employee was blamed for mishandling patches, contributing to the software failure incident [64175]. 4. Equifax's inadequate response and failure to apply necessary patches were highlighted as contributing factors to the breach [78900, 95795, 95961]. |
| Impacted Organization | 1. Equifax [62849, 62873, 62931, 62949, 63165, 63175, 63964, 64029, 64031, 64175, 73036, 78900, 95559, 95795, 95961] |
| Software Causes | 1. The failure incident was caused by Equifax using the embarrassingly inadequate credentials of "admin/admin" for credit-report disputes in Argentina, which was a known flaw with a ready fix that Equifax failed to protect against [62849]. 2. The breach involved a known vulnerability in the Apache Struts software, which Equifax failed to patch despite the patch being available since March [62873, 62931, 62949, 63917, 63964, 64029, 64031, 64175, 95559, 95795, 95961]. 3. Equifax failed to apply a software patch that led to the breach of its systems, which was a software security vulnerability that the company was alerted to by the U.S. Homeland Security Department in March [64031]. 4. The breach was not spotted due to an expired software certificate linked to crucial software that monitored the network for suspicious traffic, allowing hackers to access personal identifying information [78900]. |
| Non-software Causes | 1. Lack of layered security controls and prevention methods [62873] 2. Failure to immediately alert affected individuals to cybersecurity incidents [63165] 3. Overwhelmed call centers and inability to answer questions promptly [63917] 4. Delay in disclosing the hack [63165] 5. Failure to apply a software patch despite being alerted to the vulnerability [64029, 64031] 6. Expired software certificate leading to failure to detect the breach [78900] 7. Blaming the security failure on a single employee despite known vulnerability [95795] 8. Failure to patch a known vulnerability on the online dispute portal [95961] |
| Impacts | 1. Personal data of 143 million people was exposed due to the breach at Equifax [62849, 62873]. 2. Equifax lost control of driver’s licenses, credit card numbers for 209,000 consumers, and credit dispute documents for 182,000 others [63165]. 3. Equifax faced overwhelming call center operations after the breach was announced, leading to customers waiting on hold or being unable to have their questions answered [63917]. 4. The breach affected over 140 million Americans, leading to the exposure of personal information [64029, 64031]. 5. The breach was not initially detected due to an expired software certificate, allowing hackers to go unnoticed for a significant period [78900]. 6. Chinese military hackers exploited a software flaw in Equifax's online dispute portal to steal vast quantities of files [95961]. |
| Preventions | 1. Regularly patching and updating software components known to be vulnerable [62849, 62931, 64029]. 2. Implementing layered security controls in addition to patching vulnerabilities [62873]. 3. Having proper procedures in place to promptly follow advice on software updates [62849]. 4. Setting reminders to update digital certificates and ensuring proper monitoring of network traffic [78900]. 5. Timely response to software vulnerabilities and applying patches promptly [64031, 64175]. 6. Having multiple individuals responsible for the patching process rather than relying on a single person [64175]. 7. Following protocols for software patch management and ensuring proper deployment and scanning processes [64175]. |
| Fixes | 1. Regularly patch and update software components known to be vulnerable [62849, 62873]. 2. Implement layered security controls in addition to patching vulnerabilities [62873]. 3. Have new leadership to move the company forward [62989]. 4. Pass data breach laws along with data security standards to ensure regular system checks and prevent future breaches [63167]. 5. Improve software patch management controls [73036]. 6. Set reminders to update digital certificates [78900]. 7. Ensure timely patching of software vulnerabilities to prevent exploitation [64029, 64031, 64175, 95961]. | References | 1. Equifax statement ([62849]) 2. Avivah Litan, security analyst with Gartner ([62873]) 3. Equifax disclosure ([62931]) 4. Specialist blog Krebs on Security ([62949]) 5. Equifax former chief executive and chairman testimony ([63964]) 6. U.S. Homeland Security Department ([64031]) 7. Government Accountability Office ([75486]) 8. US Congress report ([78900]) 9. Indictment ([95795], [95961]) |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) In the case of Equifax, a software failure incident related to a vulnerability in Apache Struts was identified in March, and a recommended software patch was released shortly afterward. However, Equifax failed to apply the patch to its own systems by May, leading to a breach of its systems [Article 62931]. Additionally, Equifax was alerted in March to a software security vulnerability that led to hackers obtaining personal information of more than 140 million Americans, but the company took months to patch it [Article 64029]. (b) The incident at Equifax is not an isolated case. The US Congress report revealed that Equifax's 2017 network breach, affecting 143 million people, was not spotted due to an expired software certificate. This issue of expired certificates causing network failures was also highlighted in the case of mobile operator O2 in the UK [Article 78900]. Additionally, in another incident, a software firm announced a vulnerability in one of its products in March 2017, but Equifax did not patch the vulnerability on its online dispute portal, leading to Chinese military hackers exploiting the flaw to steal Equifax's files [Article 95961]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase: - Equifax's breach was attributed to a known vulnerability in the Apache Struts software that Equifax failed to patch despite the patch being available since March [62849, 62873, 62931, 62949]. - Equifax's former CEO mentioned that the breach occurred due to human error and technology failures, specifically mentioning that Equifax's information security department failed to identify systems vulnerable to the software issue during scans in March [64029, 64031]. - Equifax's breach was linked to a known flaw in the Apache software that Equifax was aware of but did not apply the patch to its systems by May [64175]. - Equifax's breach was due to the company's failure to apply a software patch despite being alerted to the vulnerability in March by the U.S. Homeland Security Department [64031]. (b) The software failure incident related to the operation phase: - Equifax's breach was open from mid-May to July 29, during which Equifax first detected it and worked to stop the intrusion [62873]. - Equifax's breach was attributed to a faulty scanner that failed to flag the vulnerability on March 15 and a single Equifax staffer mishandling patches on March 9 [64175]. - Equifax's breach was not spotted due to an expired software certificate, which led to network communication issues and ultimately the breach affecting 143 million people [78900]. - Equifax's breach was exploited by Chinese hackers who took advantage of a vulnerability in Equifax's online dispute portal that Equifax did not patch, allowing them to steal vast quantities of Equifax's files [95961]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident at Equifax was primarily due to contributing factors that originated from within the system. Equifax failed to apply a patch for a known vulnerability in the Apache Struts software, which allowed hackers to exploit the system and steal vast quantities of data [62849, 62931, 62949, 64029, 64175, 95559, 95961]. (b) outside_system: The Equifax breach was also influenced by contributing factors that originated from outside the system. For example, the breach was not immediately detected due to an expired software certificate that was linked to crucial software monitoring the network for suspicious traffic [78900]. Additionally, the hackers who exploited the unrepaired software flaw were identified as Chinese military hackers [95961]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - Equifax's breach was attributed to an expired software certificate that went unnoticed, allowing hackers to access personal information of millions of individuals [Article 78900]. - The breach was also linked to a vulnerability in the Apache Struts software, which Equifax failed to patch despite a known fix being available [Article 62849, Article 62931, Article 64029]. - The unpatched vulnerability in Equifax's web application allowed hackers to access personal identifying information [Article 64029]. (b) The software failure incident occurring due to human actions: - Equifax's former CEO mentioned that the breach was a result of both human error and technology failures, indicating a role of human actions in the incident [Article 64029]. - The breach was preventable, as Equifax did not patch the known vulnerability in its online dispute portal, which was exploited by Chinese military hackers [Article 95961]. - A congressional committee stated that the hack was "entirely preventable," suggesting human actions played a significant role in the failure [Article 95795]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - There is no specific mention of the software failure incident occurring due to contributing factors originating in hardware in the provided articles. (b) The software failure incident occurring due to software: - The software failure incident in Equifax was primarily due to software-related factors. The breach was caused by a known vulnerability in the Apache Struts software that Equifax used [Article 62849, Article 62873, Article 62931, Article 62949, Article 63917, Article 63964, Article 64029, Article 64031, Article 64175, Article 95559, Article 95795, Article 95961]. Equifax failed to patch this vulnerability in a timely manner, leading to the breach and data theft. |
| Objective (Malicious/Non-malicious) | malicious, non-malicious | (a) Malicious: - The Equifax breach was attributed to Chinese hackers who exploited the Apache Struts vulnerability to remotely execute code on Equifax's systems [95559]. - The hackers infiltrated Equifax's servers on July 30, 2017, taking advantage of the unpatched vulnerability [95795]. - The breach was characterized as a counterintelligence attack on the nation by China, indicating a deliberate attempt to gather massive amounts of Americans' personal and sensitive data [95961]. (b) Non-malicious: - Equifax failed to patch a software security vulnerability despite being alerted by the U.S. Homeland Security Department in March, indicating a failure in the patch management process [64031]. - The breach was also attributed to human error and technology failures, such as a faulty scanner not flagging the vulnerability and mishandling of patches by an Equifax staffer [64175]. - Equifax's information security department failed to identify systems vulnerable to the software issue during scans, leading to the vulnerability remaining unpatched for an extended period [64029]. |
| Intent (Poor/Accidental Decisions) | poor_decisions, accidental_decisions | (a) The intent of the software failure incident: - The software failure incident at Equifax was primarily due to poor decisions made by the company. Equifax failed to patch a known vulnerability in the Apache Struts software, despite being aware of it for months. This failure to apply the patch was attributed to human error and technology failures [Article 64029]. Equifax's former CEO mentioned that the breach occurred due to both human error and technology failures, indicating poor decisions in handling the security vulnerability [Article 64031]. Additionally, Equifax was criticized for not spotting the breach earlier due to an expired software certificate, which was a crucial component for monitoring the network for suspicious traffic [Article 78900]. (b) The software failure incident also involved accidental decisions or mistakes: - The Equifax breach was described as a combination of human error and technology failures, suggesting accidental decisions or mistakes played a role in the incident [Article 64029]. The indictment mentioned that Equifax did not patch a vulnerability in its online dispute portal, which was exploited by Chinese military hackers, indicating an accidental decision or oversight in not addressing the software flaw [Article 95961]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident occurring due to development incompetence: - Equifax's massive data breach was attributed to incompetence, failures, and negligence in responding to the breach, as attackers exploited a web-application vulnerability that had a patch available but was not applied in time [62849]. - Equifax failed to patch a software security vulnerability despite being alerted in March, leading to hackers obtaining personal information from over 140 million Americans [64031]. - Equifax's breach was not spotted due to an expired software certificate, indicating a lack of monitoring and professional oversight in maintaining security measures [78900]. (b) The software failure incident occurring accidentally: - Equifax's former CEO mentioned that the breach occurred due to both human error and technology failures, indicating accidental factors contributing to the incident [64029]. - The indictment revealed that Equifax did not patch a vulnerability in its online dispute portal, which was exploited by Chinese military hackers, suggesting an accidental failure in addressing known software flaws [95961]. - The breach at Equifax was blamed on a single employee mishandling patches, indicating accidental human error as a contributing factor [64175]. |
| Duration | permanent | (a) The software failure incident related to Equifax's data breach was temporary. The breach was open from mid-May to July 29, when Equifax first detected it [Article 62873]. The breach occurred because Equifax did not patch a software security vulnerability that was known since March [Article 64029]. The breach was due to a known flaw in the software package Apache that Equifax had not applied the patch for by May [Article 62949]. (b) The software failure incident related to Equifax's data breach was also permanent. The breach was due to a vulnerability in an open-source software package called Apache Struts that Equifax was aware of but did not fix, allowing hackers to steal data [Article 62931]. The breach was entirely preventable according to a congressional committee report [Article 95795]. |
| Behaviour | omission, timing, value, other | (a) crash: Article 63917 mentions that Equifax failed to apply a software patch that led to a breach of its systems, resulting in a failure akin to guards at Fort Knox forgetting to lock the doors and not noticing thieves emptying the vaults. (b) omission: Article 64029 states that Equifax's information security department ran scans in March that should have identified systems vulnerable to a software issue but did not, leading to the vulnerability remaining in an Equifax web application longer than it should have, allowing hackers to access personal identifying information. (c) timing: Article 63964 mentions that Equifax was warned about a software vulnerability in March but did not fix it until months later, indicating a timing failure in addressing the issue promptly. (d) value: Article 95559 highlights that Equifax ignored both a patch and instructions on how to fix a serious bug in the Apache Struts Framework, allowing Chinese hackers to exploit the vulnerability and gain access to Equifax's systems, resulting in a failure related to the value of implementing necessary security measures. (e) byzantine: No specific information related to a byzantine behavior of the software failure incident is provided in the articles. (f) other: Article 64175 suggests that the blame for the breach cannot be solely placed on one person but rather on a lack of accountability and poor security culture within the company, indicating a failure related to organizational and cultural aspects rather than just technical issues. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure The Equifax software failure incident resulted in hackers gaining unauthorized access to sensitive personal data, including Social Security numbers, birth dates, home addresses, driver's licenses, credit card numbers, and credit dispute documents for hundreds of thousands of consumers [62849, 62873, 63165]. This breach exposed the personal information of millions of individuals, potentially leading to identity theft, financial losses, and other harmful consequences for the affected individuals [62989]. Additionally, executives at Equifax were reported to have sold an unusual amount of stock before the breach was publicly disclosed, raising concerns about insider trading and financial implications [62989]. |
| Domain | information, finance, government, other | (a) The failed system was related to the industry of information production and distribution, specifically in the context of consumer data and credit reporting [Article 63165]. (h) The software failure incident was linked to the finance industry, particularly in the realm of credit reporting and consumer data management [Article 63165]. (l) The software failure incident also had implications for the government sector, as regulatory bodies like the Federal Trade Commission and the Securities and Exchange Commission were involved in investigating the Equifax data breach [Article 62849, Article 63165, Article 73036]. (m) The Equifax data breach incident could be categorized under the "other" industry as it involved the compromise of sensitive consumer data and personal information on a massive scale, impacting various sectors beyond those listed in the options [Article 63165, Article 73036]. |
Article ID: 78900
Article ID: 63964
Article ID: 64175
Article ID: 95961
Article ID: 63172
Article ID: 62849
Article ID: 95795
Article ID: 62873
Article ID: 63167
Article ID: 63175
Article ID: 75486
Article ID: 63917
Article ID: 64031
Article ID: 63165
Article ID: 95559
Article ID: 63160
Article ID: 62989
Article ID: 65490
Article ID: 73036
Article ID: 64029
Article ID: 62949
Article ID: 62931