Equifax: A Failure of Process (and more)

When we learned of the major Equifax breach in September, we may have all ignored this as just another data breach (think Yahoo, Heartland Payment Systems, and Target Stores).  However, this one hit home – for over 145 million people – as the breach exposed our most personal of financial details.

I was tempted to write earlier about this event but opted to wait for a consensus for how the breach occurred.  Given the recent hearings on Capitol Hill, Richard Smith, former CEO of Equifax explained that is both a failure of technology and people – but I believe it was also a failure of process.

Technology by itself cannot be the chief culprit as it takes people to interface with, and interpret the data that comes from the technology.  Further, while Equifax can (and did) fire people for failing to install the security patch to Apache Struts (the software with the security vulnerability), what Equifax is missing is two-fold.

One, four months before Equifax discovering the breach, it was notified by the US Department of Homeland Security (along with other organizations using the same software) of the need to patch a vulnerability in the Apache Struts software.  Technology cannot apply this ‘notification’ – people do – and they do so via a process.

Two, shortly following the notification, Mr. Smith states that Equifax’s information security department ran scans that ‘should have’ identified the vulnerability.  Mr. Smith in his testimony states that Equifax continues to look into this issue.

Here is the problem.  Equifax was notified by the US Department of Homeland Security, and presumably, based on that information, used technology to identify the vulnerability.  As somebody who has been in the technology world, and many others, we know one cannot alone trust the technology – you must verify what it is telling you is correct.  In this case, it is clear that Equifax did not conduct any due diligence when running the scan for the vulnerability against the notification from DHS.

How does this relate to IT Asset management?  As anybody in the ITAM space will tell you, effective ITAM only comes from a combination of people (the right people), technology (the best tool for the need) and process (the right approach, verified).  Those in SAM know that the SAM tool alone is not SAM – and people alone cannot possibly do it all without technology and process.

While I abhor making commentary, I think Equifax will recover from this much more quickly than the 145 million customers impacted by this breach.  I can only hope that Equifax, and every other entity with our information, learn from this mistake and puts the right people, process, and technology in place so that this does not happen again.

But then again, I’m a realist and will be writing about this again.