The Equifax data breach, one of the largest in U.S. history, was "entirely preventable," according to a new House committee investigation.
The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information.
The breach is estimated to have harmed 148 million consumers.
"In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data," according to the 96-page report authored by Republicans. "Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."
The report blames the breach on a series of failures on the part of the company, including a culture of complacency, the lack of a clear IT management operations structure, outdated technology systems and a lack of preparedness to support affected consumers.
"A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the committee staff wrote. "Equifax’s failure to patch a known critical vulnerability left its systems at risk for 145 days. The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data."
The Oversight staff found that the company not only lacked a clear management structure within its IT operations, which hindered it from addressing security matters in a timely manner, but it also was unprepared to identify and notify consumers affected by the breach.
"When Equifax informed the public of the breach on September 7, the company was unprepared to support the large number of affected consumers," the report said. "The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services."
The initial breach took place in May 2017, when hackers exploited the Apache Struts vulnerability, gaining entry into Equifax's system that allowed customers to dispute incorrect information on their credit file, according to the committee report. That system, however, was several decades old — having first been built in the 1970s.
The report said the company could have detected the activity but did not have "file integrity monitoring enabled" on this system, known as ACIS, at the time of the attack.
Upon gaining entry into the system, the hackers began to insert malicious scripts in the compromised server — ultimately giving them access to a tranche of consumer data stored in a series of databases. The hackers then exfiltrated this information unbeknownst to the company, according to the report.
"Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate," the report said. "On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic."
As part of the investigation, the Oversight panel says it reviewed more than 122,000 pages of documents, interviewed three former employees directly involved with Equifax's IT operations, met with current and former employees and talked to cybersecurity experts at Mandiant, the firm hired to investigate the breach.
Equifax in a statement knocked the timing of the report, saying it was not given enough time to respond.
"We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information. During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings," Equifax said.
"Equifax has worked in good faith for nearly 15 months with the Committee to be transparent, cooperative and shed light on our learnings from the incident in order to enrich the cybersecurity community," it added. "While we believe that factual errors serve to undermine the content of the report, we are generally supportive of many of the recommendations the Committee laid out for the government and private industry to better protect consumers, and have already made significant strides in many of these areas."