House panel issues scathing report on 'entirely preventable' Equifax data breach

The Equifax data breach, one of the largest in U.S. history, was "entirely preventable," according to a new House committee investigation.

The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information.

The breach is estimated to have harmed 148 million consumers.

ADVERTISEMENT

"In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data," according to the 96-page report authored by Republicans. "Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."

The report blames the breach on a series of failures on the part of the company, including a culture of complacency, the lack of a clear IT management operations structure, outdated technology systems and a lack of preparedness to support affected consumers.

"A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the committee staff wrote. "Equifax’s failure to patch a known critical vulnerability left its systems at risk for 145 days. The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data."

The Oversight staff found that the company not only lacked a clear management structure within its IT operations, which hindered it from addressing security matters in a timely manner, but it also was unprepared to identify and notify consumers affected by the breach.

"When Equifax informed the public of the breach on September 7, the company was unprepared to support the large number of affected consumers," the report said. "The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services."

ADVERTISEMENT

The initial breach took place in May 2017, when hackers exploited the Apache Struts vulnerability, gaining entry into Equifax's system that allowed customers to dispute incorrect information on their credit file, according to the committee report. That system, however, was several decades old — having first been built in the 1970s.

The report said the company could have detected the activity but did not have "file integrity monitoring enabled" on this system, known as ACIS, at the time of the attack.

Upon gaining entry into the system, the hackers began to insert malicious scripts in the compromised server — ultimately giving them access to a tranche of consumer data stored in a series of databases. The hackers then exfiltrated this information unbeknownst to the company, according to the report.

"Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate," the report said. "On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic."

As part of the investigation, the Oversight panel says it reviewed more than 122,000 pages of documents, interviewed three former employees directly involved with Equifax's IT operations, met with current and former employees and talked to cybersecurity experts at Mandiant, the firm hired to investigate the breach.

Top Democrats on the Oversight panel, as well as on the House Science, Space and Technology Committee, blasted Republicans on the Oversight and Government Reform Committee for releasing a report they say missed an opportunity to be bipartisan.
 
"Unfortunately, Committee Republicans issued a report without including Democratic suggestions to prevent data breaches in the future," Reps. Elijah CummingsElijah Eugene CummingsOvernight Health Care: Dem chair meets Trump health chief on drug prices | Trump officials sued over new Kentucky Medicaid work rules | Democrats vow to lift ban on federal funds for abortions Dem chairman Cummings meets with Trump health chief to discuss drug prices The Hill's Morning Report — No new negotiations as shutdown hits 25 days MORE (D-Md.) and Eddie Bernice JohnsonEddie Bernice JohnsonBlack Caucus sees power grow with new Democratic majority K Street works to court minority lawmakers Black Caucus huddles as talk of term limits heats up MORE (D-Texas) said in a statement. "This was a missed opportunity to convert the Committees' oversight efforts into concrete reforms that would help prevent future data breaches, hold companies accountable, and protect American consumers and their sensitive personal information."
 
The two Democratic lawmakers also criticized the content of the report.
 
"The Republican staff report merely reiterated findings by media outlets and the Government Accountability Office about Equifax's cybersecurity vulnerabilities and the company's lack of preparedness to protect breach victims," they said in their statement. "In contrast, the Democratic staff report provides detailed legislative and oversight recommendations to better protect consumers from future cyberattacks."
 
Cummings and Johnson recommended "requiring federal financial regulatory agencies to report their efforts to protect consumers from cybertheft and identify areas Congress could enhance agencies' authorities to achieve that goal," guidelines for federal contractors to comply with established cybersecurity standards, a comprehensive notification law that dictates how victims of a victim breach must be notified and an amended Federal Trade Commission Act to "strengthen civil penalties for private sector violations of consumer data security requirements." 

Equifax in a statement knocked the timing of the report, saying it was not given enough time to respond.

"We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information. During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings," Equifax said.

"Equifax has worked in good faith for nearly 15 months with the Committee to be transparent, cooperative and shed light on our learnings from the incident in order to enrich the cybersecurity community," it added. "While we believe that factual errors serve to undermine the content of the report, we are generally supportive of many of the recommendations the Committee laid out for the government and private industry to better protect consumers, and have already made significant strides in many of these areas."

Updated at 2:10 p.m.