A U.S. House committee has released a staff report that concludes the Equifax breach from 2017 was “entirely preventable.” The report includes many notable findings, including recommendations for the business sector to avoid such incidents in the future.
On Sept. 14, 2017, House Oversight and Government Reform Committee Republicans started investigating the Equifax data breach that affected 148 million consumers, including some in Europe.
In the 14 months since, the Committee discovered that Equifax failed to define clear lines of authority assigning responsibility for the data it was collecting, that it was using outdated systems, and that it was unprepared to support customers in the event of a breach, among other things. Most importantly, the Committee found the incident could have been easily avoided. As some readers will remember, Equifax failed to patch known vulnerabilities in the Apache Struts web application framework, which allowed hackers access to its systems. From the report:
- Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address observable security issues, the data breach could have been prevented.
- Lack of accountability and management structure. Equifax failed to implement clear lines of authority within its internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
- Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
- Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the cyberattack.
- Unprepared to support affected consumers. After Equifax told the public of the data breach, it was unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, and affected consumers couldn’t access information needed to protect their identity.
The Committee says Equifax has “a heightened responsibility” to protect the personal data of its customers, but stresses that the government should be more involved as well. It recommends organizations increase oversight, accountability, and transparency in their operations and infrastructure, and modernize IT security solutions. The Committee’s full list of recommendations can be found here.
The Equifax breach was one of the biggest of its kind in U.S. history, but because it occurred in the pre-GDPR era, European authorities – on behalf of affected UK customers – could only fine the company the maximum allowable penalty under the 1996 Data Protection Act: £500,000. Under the GDPR, that penalty would have been orders of magnitude higher.
However, the American credit reporting agency did not escape the incident unscathed. Far from it, actually. In the weeks following the breach, Equifax let go of not one, but three of its top executives. Several other employees were charged with insider trading in relation to the breach. Equifax’s image, as a result of the scandal, took a serious beating that was more than reflected in the stock market.