We talk a lot about the importance of certificate lifecycle management. But in 2017, one major credit bureau demonstrated the massive damage a single expired digital certificate can have on a corporation—and an entire country. 

The Equifax data breach

It all started when Equifax failed to discover an expired digital certificate used by a network tracking device. Because the company didn’t know the certificate had expired, they didn’t replace it. The result? The network device couldn’t perform the vital vulnerability scanning that might have stopped attackers from infiltrating the network undetected.

And infiltrate they did, pilfering personally identifiable information (PII) from multiple databases over 76 days. The stolen PII included highly sensitive data like Social Security numbers, drivers’ licenses, and credit card numbers—information the more than 150 million affected Americans had trusted Equifax to keep safe.

Equifax’s data breach was one of the most catastrophic in recent history. The breach cost the company $575 million in FTC fines alone, but the damage to their reputation was incalculable. 

So what went wrong, and what can other companies learn from Equifax’s mistakes?

The fatal error: A lack of centralized visibility

The fact that Equifax let a certificate expire is bad enough. But what makes the situation even more shocking is that the network traffic device’s certificate expired a full 10 months before the attackers even infiltrated Equifax’s system.

The average consumer (and the U.S. Senate) had a hard time understanding how Equifax could let a security breach of this magnitude happen. But anyone familiar with securing PKI could tell you that the problem started with the company’s lack of centralized visibility into their digital certificate inventory. 

The responsibility of managing digital certificates has traditionally fallen on the shoulders of a few PKI admins. They do their best to keep tabs on every certificate across the entire enterprise with nothing but spreadsheets, in-house scripting, and other point solutions prone to human error.

None of these tools have the ability to discover or inventory the certificates owned by individual business units. And more often than not, the business units’ certificate owners fail to understand the importance of ensuring their certificates comply with corporate policy and security standards. 

While we don’t have a beat-by-beat analysis of the lead-up to the Equifax breach, we can make some educated guesses. It could have been something as basic as the certificate’s expiration alerts going to an admin who no longer worked for the company. Or it might have been a certificate procured from a certificate authority (CA) that the company hadn’t approved.

What we know for certain is that this data breach was devastating—and that Equifax is far from the only company to suffer the consequences of poor certificate management.

PKI-related outages are on the rise

While Equifax may be the most spectacular example of the damage certificate-related outages can do, they’re by no means unique. Some other recent public examples include:

• The 2018 O2/Ericsson network outage, where an expired certificate caused 32 million UK customers to lose all cellular service for almost 24 hours.
• The 2020 California Reportable Disease Information Exchange (CalREDIE) outage, where an undiscovered expired certificate led to a massive undercount of COVID-19 cases in California and kept CalREDIE partners from uploading lab results to the system for several days.
• The 2021 Azure Active Directory outage brought down Office 365, Xbox Live, and other Microsoft services for 14 hours.

These examples represent a tiny fraction of the outages that take place every year. We conducted a survey in 2021 that revealed two-thirds of companies experienced at least one PKI-related service outage in the previous year, with 25% reporting five to six outages within just the last six months.

It’s a persistent and prevalent problem—one that’s only getting worse as the number of digital certificates skyrockets. TLS/SSL certificates are now being used to authenticate everything from websites and web servers to containerized applications incorporating hundreds of microservices. With the average Global 2000 company’s certificate population now in the hundreds of thousands, manual processes and crossed fingers are no longer a reliable approach to certificate lifecycle management. 

Listen to NIST: The time to centralize visibility is now

In June 2020, the National Institute of Standards and Technology (NIST) published Special Publication 1800-16: Securing Web Transactions, TLS Server Certificate Management (SP 1800-16). This framework, which was mostly written before the pandemic accelerated digital transformation initiatives, stresses that organizations need to “establish and maintain clear visibility across all TLS server certificates in their environment” to enable fundamental certificate lifecycle management tasks, including:

• Discovering potential vulnerabilities, such as the use of weak algorithms
• Identifying and replacing expiring certificates
• Ensuring compliance with regulatory guidelines and corporate policies

NIST recommends maintaining a single central certificate inventory to minimize the risk of overlooking critical TLS server certificates. This begs the question—what if Equifax had had the foresight to deploy an effective certificate lifecycle management (CLM) solution like DigiCert^® Trust Lifecycle Manager to gain visibility across their network?

We know the answer to that question: Warning messages would have alerted the company to the certificate’s impending expiration date. And Equifax would have gotten the certificate renewed long before any threat actors got their hands on millions of customers’ sensitive information.

The latest developments in digital trust

Want to learn more about topics like data security, code signing certificates, and certificate lifecycle management tools? Subscribe to the DigiCert blog to ensure you never miss a story.