The Equifax data breach that leaked information on the now-145 million people was caused by a vulnerability in Apache's Struts system. Trouble is, the software provider supplied a patch back in March that should have eliminated that vulnerability. But Equifax's former CEO (who suddenly retired last week) told the House Energy and Commerce Committee that a single IT technician was at fault for the whole thing after they failed to install the patch.
While speaking to the committee (video below), former CEO Richard Smith outlined the company's normal procedure for new patches: Have a technician install it and then scan the system for any remaining vulnerabilities. Apparently, both the human and computer steps failed.
As Smith outlines in his written testimony (PDF), the Department of Homeland Security's Computer Emergency Readiness Team (CERT) sent Equifax (alongside many other companies) a notice on March 8th, 2017 about the vulnerability in certain versions of Apache Struts. Equifax sent out an internal mass-email, which should have required its internal IT team to fix the vulnerability within 48 hours, but that didn't happen. An automatic scan for vulnerabilities on March 15th also failed to indicate that Equifax was using a Struts version that had the vulnerability.
Based on Equifax's postmortem investigations, the hacker that exploited this exact weakness likely first used it to pry into Equifax on May 13th, and then continued until July 30th, and Equifax's security tools were none the wiser. Only suspicious traffic in and out of its system on July 29th tipped the company off to the breach. From there, the company investigated the breach.
During his testimony, Smith identified the company IT employee who should have applied the patch as responsible: "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not."
That didn't stop the committee from thrashing Smith and Equifax's failure to protect user data. Lawmakers pondered over how to prevent similar breaches in the future, but focused on the company's failure in what might be the hearing's iconic quote: "How does this happen when so much is at stake?" Rep. Greg Walden (R-Ore.) said to Smith. "I don't think we can pass a law that fixes stupid."
But the committee didn't forget the ultimate consequence of the breach: The personal data genie can't go back in the bottle.
"You can't change your Social Security number and I can't change my mother's maiden name," Rep. Debbie Dingell (D-Mich.) said in the hearing, according to The Los Angeles Times. "This data is out there forever."
House Committee on Energy and Commerce