Equifax reported that its customer-required ISO certification from EY CertifyPoint was suspended
Equifax Inc. used a consulting arm of its auditor to certify that its information-security risks were under control — a possible conflict for a company that missed the system vulnerability that gave hackers access to the personal information of 143 million consumers. Equifax never disclosed that a subsidiary of its auditor, Ernst & Young, is the consulting firm that provided services that failed to detect the control weakness that led to the massive breach. What are called ISO certifications are relied upon by the auditor when assessing controls over information systems that support financial reporting.
Hackers used the fact that Equifax had not yet patched a vulnerability in software called Apache Struts, a hole in defenses that its IT team was informed of on March 9, 2017. The company was told to patch it within 48 hours. That didn’t happen, said Richard Smith, the former CEO of Equifax, in testimony before House Energy and Commerce Committee in October 2017.
That failure occurred even though EY CertifyPoint had audited and certified the quality of Equifax’s processes to update software, fix bugs and detect hacks. Hackers breached Equifax’s systems through the Apache Struts vulnerability on May 13, and the company didn’t spot the breach until July 29.