A nonpartisan agency analysis of Equifax breach via incident report review and interviews of Equifax's largest federal customers, IRS, SSN Administration and USPS revealed:
- Web/system Apache vulnerabilities that had BOT been patched (or out of date) and weekly scan failed to identify the vulnerability
- Failure to inspect traffic because the digital certified had expired nearly 1 year ago so all encrypted traffic could NOT be inspected / reviewed (both attack as well as data exfiltration)
- Lack of segmentation allowed for uninterrupted passage through multiple databases / systems without triggering any alerts (or other access control lists / rules)
- Credentials were stored in clear-text and NOT encrypted which was easily accessed / stolen
- No limit on database queries so large volumes were retrieved / exfiltrated without obstruction or alerts
