WASHINGTON -- The cyber breach of the credit reporting agency Equifax that exposed the personal data of 148 million Americans last year was "entirely preventable" and due in part to outdated security systems and an unaccountable corporate management structure, according to a report from congressional investigators.
The Republican staff of the House Oversight and Government Reform Committee said Atlanta-based Equifax, one of three large companies that collect and analyze reams of consumers' information to sell to lenders, has a "heightened responsibility" to protect its data -- and failed egregiously.
"Equifax failed to fully appreciate and mitigate its cybersecurity risks," the 96-page report states. "Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented."
The report, released Monday, caps the committee's 14-month investigation into the breach, which is one of the largest in U.S. history. It makes recommendations about ways that Congress, federal agencies and private companies can prevent future hacks, including moving away from Social Security numbers as the prime way to authenticate a person's identity and studying ways to mitigate security risks.
But the analysis is not without controversy.
The investigation was largely bipartisan, but the committee's top Democrat, U.S. Rep. Elijah Cummings of Maryland, said the final report did not incorporate suggestions from Democrats to prevent future breaches. And Equifax said it identified "significant inaccuracies" with the report's factual findings, even as it said it agreed with many of its recommendations.
"We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information," company spokesman Jacob Hawkins said. "During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings."
Equifax is a key cog in the global financial system, collecting consumer data such as Social Security numbers, driver's license numbers and birthdates to help lenders verify people's identities and decide whether they are credit-worthy.
The sensitive nature of that information is what made the news so dire when the company announced in September 2017 that a security flaw allowed hackers to access the data of more than half of American adults from mid-May through the end of July last year, when the company discovered the breach.
The investigative report echoed testimony before Congress last year finding that Equifax was warned about the flaw in March 2017, but the company failed to make the fix before hackers could infiltrate the company's systems.
The new House Oversight report said two main internal factors allowed the breach to occur.
First, it said the company grew too rapidly. As Equifax accelerated its acquisitions of smaller firms beginning in 2005, it couldn't merge and streamline its information technology security programs fast enough, the report states.
Second, the structure of Equifax's information technology department allowed for a "lack of accountability and no clear lines of authority." The chaos led to the company allowing more than 300 security certificates to expire, with one critical vulnerability going unpatched for 145 days.
"The company's failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data," according to the report.
The House Oversight panel also blamed Equifax for being unprepared once it informed the public of the breach. A new website and 1,500-person call center were immediately overwhelmed, and employees were not properly trained to help consumers protect their identity. And the company's Twitter account directed consumers to a phishing website for nearly two weeks before being fixed.
Consumer advocates have warned that victims could potentially be at risk for years because the pilfered information could be used to impersonate consumers and wreck their finances.
The report makes several recommendations to prevent future hacks, even as it did little to implicate Congress for failing to pass cybersecurity legislation before or after the breach.
The document said lawmakers should review the powers of the Federal Trade Commission to punish businesses for making false or misleading claims about security or failing to take reasonable preventive measures. It also calls on the executive branch to make recommendations to Congress about identification protection services and to work with the private sector to mitigate cybersecurity risks.
In a separate report, Democrats called on Congress to pass a comprehensive law governing how and when the victims of data breaches should be notified and give the Federal Trade Commission power to levy harsher civil penalties when companies violate consumer data security rules.
Equifax's Hawkins said the company was "generally supportive" of many of the recommendations in the GOP report and that it has already "made significant strides in many of these areas."
"Since the incident, Equifax has moved forward, taking meaningful steps to enhance our technology and security programs and will continue to focus on consumers, customers and regaining trust with all stakeholders," Hawkins said.
But the tone of Equifax's response did not satisfy Liz Coyle, the executive director of the consumer advocacy group Georgia Watch.
"The tone was very much that Equifax was a victim, and that is just not the case," she said. "Equifax uses consumer data to make money."
Business on 12/12/2018