Euro Security Watch with Mathew J. Schwartz

Data Loss Prevention (DLP) , Encryption & Key Management , General Data Protection Regulation (GDPR)

Why Was Equifax So Stupid About Passwords?

Massive Credit Bureau Stored Users' Plaintext Passwords in Testing Environment
Why Was Equifax So Stupid About Passwords?
Excerpt from the U.K. Information Commissioner Office's monetary penalty notice against Equifax

Massive, well-resourced companies are still using live customer data in testing environments, violating not just good development practices but also privacy laws.

See Also: Breaking Free from VPN Limitations: Simplifying Remote Access Security

That's yet another security failure takeaway from last year's massive Equifax breach.

Compared to Equifax's poor information security and patch management practices, which led to the loss of personally identifiable information for at least 145.5 million U.S. consumers, 15.2 million U.K. consumers and 8,000 Canadian consumers, using live data in a testing environment might seem to be a footnote. But it's not.

Indeed, Equifax managed to compound the severity of its breach by also storing plaintext copies of users' passwords in a plaintext file, when its own cryptographic standards stated that passwords should only ever be stored in encrypted, hashed, masked, tokenized or other approved formats.

Credit Bureau Profits From Consumer Data

Equifax isn't the first corporate giant that failed to properly secure consumer data (see Why Are We So Stupid About Passwords? Yahoo Edition).

But the security failure at Equifax is especially egregious, given that it generates massive profits from buying, sharing and selling personal information - often without individuals' knowledge - but still failed to have the right resources in place to ensure that it was also securing this sensitive information.

Some privacy and security experts point out that many consumers would never have known that the company was acquiring, selling or storing their personal details.

"Equifax Ltd. showed a serious disregard for their customers and the personal information entrusted to them," U.K. Information Commissioner Elizabeth Denham said last week. "Many of the people affected would not have been aware the company held their data; learning about the cyberattack would have been unexpected and is likely to have caused particular distress."

Denham helms the Information Commissioner's Office, which is the U.K.'s data protection authority responsible for enforcing the country's privacy laws.

Password Security Failures

In the 32-page monetary penalty notice (PDF) issued against Equifax last week, the ICO cites a long list of failures at Equifax that contributed to the breach. Those failures include Equifax creating a "GCS dataset" - for Global Consumer Services - that attackers compromised, which contained 14,961 U.K. "data subjects' name, address, date of birth, username, password (in plaintext), secret question and answer (in plaintext), credit card number (obscured) and some payment amounts."

The ICO notes that the compromised data was being stored in a plaintext file labeled as being the "Standard Fraud Daily" report, which Equifax said was designed to be a "snapshot in time" of the GCS data.

"The file was held in a fileshare, which was accessible by multiple users - including system administrators and middleware technicians - for the purposes of maintenance and/or the release of application code. The file contained 'live' data taken from the GCS dataset which was created for testing purposes, with the intention of eventually sending it to Equifax Ltd.'s Fraud Investigations Team in the U.K.," the ICO says. "Equifax Ltd has stated that the file was used in order to perform password analysis for the purposes of fraud prevention."

But the ICO said this was not a valid reason for Equifax having failed to secure the data. "The commissioner has seen no adequate evidence or explanation indicating that this was a valid reason for this data not being processed in accordance with Equifax's data handling and cryptography standards, particularly given the existence of several other fraud prevention techniques in use at the time, none of which required personal data to be stored in plaintext form," the ICO says.

The privacy watchdog also notes "that Equifax has subsequently ceased the practice of storing passwords in plaintext whilst still being able to achieve its fraud prevention aims."

Excerpt from the ICO's monetary penalty notice against Equifax

Channel 'Lorem Ipsum'

In this day and age, there is no excuse for developers to be using live data in testing environments.

Substituting fake but lookalike data isn't a new concept. Arguably, it dates from the heady "greeking" days of the 1500s, when printers and typesetters began using "lorem ipsum" - nonsensical Latin - as placeholder text.

Enter the digital age: Developers need to ensure that when users enter a value into a 16-digit credit card field, for example, their application handles it correctly. But playing with live data in production environments increases the risk that insiders or outsiders who shouldn't be seeing the data might have access to it.

That's why numerous development tools offer the ability to obfuscate and mask live data, as well as to generate "good enough" test data that developers can use instead.

European IT market researcher Bloor Research notes that such tools are available from a variety of vendors, including CA, Compuware, Dataprof, Dataguise, Delphix, HPE, IBM, Imperva Camouflage, IMS Privacy Analytics, Informatica, Mentis, Net 2000, Protegrity and Solix.

Equifax Failed to Obtain Consent

Equifax compounded its data security and privacy failures by not only storing plaintext passwords and security questions and answers in a plaintext file, but also not obtaining users' consent for doing so.

Under the U.K.'s Data Protection Act, data subjects must give "specific and informed indication" of the ways in which they will allow their data to be processed.

The ICO asked Equifax why it had failed to obtain consent from users to store their plaintext passwords and security questions and other data in a plaintext file.

"Equifax suggested that informing data subjects that their passwords would be stored in plaintext form would have created a security risk," the ICO says. "The commissioner's view is that this type of processing activity was an inappropriate security risk, particularly given the state of the art and costs of implementation as regards appropriate technical measures to protect personal data, the resources available to an organization of Equifax's size, and the nature of the processing it undertook."

UK Hits Equifax With Maximum Fine

Earlier this month, the U.S. Government Accountability Office issued a report into the Equifax breach that described five key factors that contributed to the breach (see Postmortem: Multiple Failures Behind the Equifax Breach).

The ICO's penalty notice cites some of these same failures, including Equifax having failed to renew a digital certificate for more than a year, which left one of its network scanning tools unable to scan encrypted traffic for signs of malicious activity. That turned out to be how attackers exfiltrated stolen data from Equifax starting in May 2017, as Equifax discovered in July 2017 after it renewed the certificate and the tool began working again.

Taking these and other failures into account, the ICO last week imposed the maximum possible fine on Equifax.

Luckily for Equifax, its breach occurred before the May 25 start of enforcement for the EU's General Data Protection Regulation.

Organizations that fail to comply with GDPR's privacy requirements face fines of up 4 percent of their annual global revenue or €20 million ($23 million), whichever is greater. Organizations that fail to comply with GDPR's reporting requirements also face a separate fine of up to €10 million ($12 million) or 2 percent of annual global revenue (see GDPR Effect: Data Protection Complaints Spike).

Under the previous data protection laws, however, the maximum - and levied - fine facing Equifax was just £500,000 ($660,000), or 0.02 percent of the company's 2017 annual global revenue of $3.4 billion.

Few Repercussions in U.S.

While Europe continues to crack down on companies that fail to properly secure private data, many information security experts say the U.S. lags.

Information assurance trainer William Hugh Murray says big credit bureaus such as Equifax should be held to a higher standard of security, given the types of PII they handle.

Congress, however, has declined to impose any such controls, leaving the distinct impression that firms such as Equifax are not only too big to fail, but too big to bother regulating (see Cynic's Guide to the Equifax Breach: Nothing Will Change).

"One should not be surprised by this [Equifax] breach scenario," Murray says. "Few breaches are rooted in a single failure. However, these were all failures of essential practices, ones that would be expected of any business, much less one that deals in purloined data about all citizens."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.