2017: Equifax & IT Governance
Equifax had one of the largest data breaches in the United States: 147.9 million Americans, 15.2 million British citizens and about 19,000 Canadian citizens were compromised. This led to the CEO of Equifax testifying before congress and a $575 settlement.
The breach occurred when a well known open source package used in an Internet facing services was exploited. From published news reports and testimony by the CEO, Equifax followed standard operating procedures for patching.
The device that was exploited was identified for the patch: that implies high risk Internet facing services were both identified and prioritized for patching. That also shows proper asset management and prioritization based on risk. In addition, the patch was planned for deployment in advance of the actual exploit. With this information, we can say that Equifax followed best practices for 3 critical functions:
- Asset Management
- Identification of High Risk Assets
- Patch Management.
However, a device was not patched and subsequently exploited. From NBC News, the CEO said:
While Smith said he was personally "ultimately responsible for what happened" he also blamed a single unnamed person in the IT department for not updating, or "patching" one Equifax's "portals" after the credit reporting giant was alerted to the security gap in March.
While this is obviously a case study in poor leadership - the CEO blaming a sole individual - it is also an example of poor governance. Of course, relying on one person to do an important job is fine. However, given the importance of patching as a critical function, governance of that patching process failed. Management should have had tools and other sources to confirm critical devices were patched. Relying on 1 person to do their job is expected. Relying on 1 person to perform an absolutely critical function without any oversight or confirmation is a lack of governance.