Question

On September 7, 2017, Equifax announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Cyber criminals have accessed sensitive information -- including names social security numbers, birth dates, addresses, and the number of some driver's licenses.

Use the GAO Risk Assessment Methodology 3, pages 34-38, to document the vulnerabilities to Equifax and identify the recommended countermeasures / security controls to protect customer PII.

Include detailed information explaining how these security controls can reduce risk.

https://www.gao.gov/assets/690/681342.pdf

Answer 1

Apache Struts vulnerability led to the data breach that began in May 2017. The Subcommittee initiated an investigation into the circumstances surrounding the Equifax cybersecurity breach, which was announced on September 7, 2017.

Based on this investigation, the Subcommittee concludes that Equifax’s response to the March 2017 cybersecurity vulnerability that facilitated the breach was inadequate and hampered by Equifax’s neglect of cybersecurity.

Recommendations

Congress should pass legislation that establishes a national uniform standard requiring private entities that collect and store PII to take reasonable and appropriate steps to prevent cyberattacks and data breaches.

Congress should pass legislation requiring private entities that suffer a data breach to notify affected consumers, law enforcement, and the appropriate federal regulatory agency without unreasonable delay

Congress should explore the need for additional federal efforts to share information with private companies about cybersecurity threats and disseminate cybersecurity best practices that IT asset owners can adopt.

Federal agencies with a role in ensuring private entities take steps to prevent cyberattacks and data breaches and protect PII should examine their authorities and report to Congress with any recommendations to improve the effectiveness of their efforts.

Private entities should re-examine their data retention policies to ensure these policies properly preserve relevant documents in the event of a cyberattack.