The devastating 2017 breach of credit-reporting company Equifax, which exposed data on 148 million people, was “entirely preventable” had the company applied proactive security measures, a congressional investigation has concluded.
“Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented,” says the report issued Monday by Republicans on the House Oversight and Government Reform Committee.
The committee’s 96-page report lays out why the hack, which compromised people’s names, social security numbers, addresses, credit card numbers, and other identifiers, has become a case study in failed IT leadership and software patching.
A “lack of accountability and no clear lines of authority in Equifax’s IT management structure” meant key security protocols were neglected, the House panel found: Equifax allowed over 300 security certificates to expire, including 79 for monitoring “business-critical” domains.
Furthermore, the company did not spot data being exfiltrated from its systems because a device used to monitor traffic had an expired security certificate, leaving the devices inactive for 19 months, the report said.
The committee also found that former Equifax CEO Richard Smith’s “aggressive growth strategy,” which included numerous acquisitions, bred security risks at the company. As the credit-monitoring giant’s market share surged, it didn’t grasp how the 18 companies it had acquired changed its security posture, according to the committee.
In a statement, Equifax spokesman Jacob Hawkins said the company had found “significant inaccuracies” in its preliminary review of the committee’s report, and that the company disagreed with “many of the factual findings.”
For example, Hawkins said, the report refers to a settlement with state attorneys general that hasn’t happened and inaccurately describes the company’s online portal for consumer disputes as dating to the 1970s, when it was really built more recently.
“We are deeply disappointed that the committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information,” Hawkins said, adding that Equifax had “worked in good faith for nearly 15 months with the committee.”
Congressional investigators found that Equifax was vastly unprepared for supporting victims of the breach. A website and call centers for victims were flooded, depriving consumers of timely information on how the hack affected them, the committee said.
The long-running fallout from the breach has seen senior executives lose their jobs and U.S. lawmakers excoriate the company for faulty security. Although the company avoided paying a fine with U.S. state regulators in June, a U.K. regulator fined Equifax $664,000 in September for failing to protect information related to 15 million U.K. residents.
With its focus on IT mismanagement, the post-mortem on the Equifax hack is reminiscent of the aftermath of another big compromise of personal information: the 2015 Office of Personnel Management breach. That breach saw alleged Chinese hackers steal sensitive information on some 22 million current and former federal workers.
Although U.S. officials have long suspected and, in some cases, accused, Chinese hackers of breaching OPM, less is publicly known about who orchestrated the Equifax hack. (Two years before it was hacked, Chinese spies targeted Equifax’s confidential business information, the Wall Street Journal reported.) The House Oversight report says that Equifax identified “suspicious traffic” from at least one Chinese IP address while responding to the breach, but these are merely clues in the attack rather than conclusive attribution.
In February, Equifax hired Jamil Farshchi, who helped Home Depot respond to its data breach, as chief information security officer. In a July interview with CyberScoop, Farshchi outlined a three-part plan to change the security culture at Equifax. Farshchi said then that the company didn’t know who carried out the hack.
The House Oversight committee’s 14-month investigation produced several security recommendations for organizations to avoid being the next breach victim, or at least mitigate the damage, including: moving away from the Social Security numbers as an identifier, ditching legacy IT systems, and being more transparent about cybersecurity risk with regulators.
Prior to getting hacked in 2017, Equifax didn’t disclose any cybersecurity incidents or risks it was carrying in its filings with the Securities and Exchange Commission, the committee said. Hawkins, the Equifax spokesman, said that was incorrect, that the company had indeed addressed cybersecurity risk in its SEC disclosures.
House Democrats on Monday released their own report on the Equifax breach, complaining that their suggestions were not included in the report from the House Oversight committee Republicans. The Democrats’ report advocates for a federal law to ensure more timely public notifications of data breaches.
UPDATE, 2:23 pm EDT: This story has been updated with a statement from Equifax.