The cyber breach of the credit reporting agency Equifax that exposed the sensitive personal data of 148 million Americans last year was “entirely preventable” and due in part to outdated security systems and an unaccountable corporate management structure, according to a blistering report from congressional investigators.
The Republican staff of the House Oversight and Government Reform Committee said Atlanta-based Equifax, one of three massive companies that collect and analyze reams of consumers’ information to sell to lenders, has a “heightened responsibility” to protect its data — and that it failed egregiously.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the 96-page report states. “Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”
The report, released Monday, caps off the committee’s 14-month investigation into the breach, which is one of the largest in U.S. history. It makes recommendations about ways that Congress, federal agencies and private companies can prevent future hacks, including moving away from Social Security numbers as the prime way to authenticate a person’s identity and studying ways to mitigate security risks.
But much like everything Congress does, the analysis is not without controversy.
The investigation was largely bipartisan, but the committee’s top Democrat, U.S. Rep. Elijah Cummings of Maryland, said the final report did not incorporate suggestions from Democrats to prevent future breaches. And Equifax itself said it identified “significant inaccuracies” with the report’s factual findings, even as it said it agreed with many of its recommendations.
“We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information,” company spokesman Jacob Hawkins said. “During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings.”
‘Failure to implement’
Equifax is a key cog in the global financial system, collecting consumer data such as Social Security numbers, driver’s license numbers and birthdates to help lenders verify a person’s identity and decide whether he or she is credit-worthy.
The sensitive nature of that information is what made the news so dire when the company announced in September 2017 that a security flaw allowed hackers to access the data of more than half of American adults from mid-May through the end of July last year, when the company discovered the breach.
The investigative report echoed testimony before Congress last year finding that Equifax was warned about the flaw in March 2017, but the company failed to make the fix before hackers could infiltrate the company’s systems.
The new House Oversight report said two main internal factors allowed the breach to occur.
First, it said the company grew too rapidly. As Equifax accelerated its acquisitions of smaller firms beginning in 2005, it couldn’t merge and streamline its information technology security programs fast enough, the report states.
Second, the structure of the Equifax’s IT department allowed for a “lack of accountability and no clear lines of authority.” The chaos led to the company allowing more than 300 security certificates to expire, with one critical vulnerability going unpatched for 145 days.
“The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data,” according to the report.
The House Oversight panel also blamed Equifax for being wildly unprepared once it informed the public of the breach. A new website and 1,500-person call center were immediately overwhelmed, and employees were not properly trained to help consumers protect their identity. And the company’s Twitter account directed consumers to a phishing website for nearly two weeks before being fixed.
Consumer advocates have warned that victims could potentially be at risk for years because the pilfered information could be used to impersonate consumers and wreck their finances.
The report makes several recommendations to prevent future hacks, even as it did little to implicate Congress for failing to pass cybersecurity legislation before or after the breach.
The document said lawmakers should review the powers of the Federal Trade Commission to punish businesses for making false or misleading claims about security or failing to take reasonable preventive measures. It also calls on the executive branch to make recommendations to Congress about identification protection services and to work with the private sector to mitigate cybersecurity risks.
In a separate report, Democrats called on Congress to pass a comprehensive law governing how and when the victims of data breaches should be notified and give the FTC power to levy stricter civil penalties when companies violate consumer data security rules.
Equifax’s Hawkins said the company was “generally supportive” of many of the recommendations in the GOP report and that it has already “made significant strides in many of these areas.”
“Since the incident, Equifax has moved forward, taking meaningful steps to enhance our technology and security programs and will continue to focus on consumers, customers and regaining trust with all stakeholders,” Hawkins said.
But the tone of Equifax’s response did not satisfy Liz Coyle, the executive director of the consumer advocacy group Georgia Watch.
“The tone was very much that Equifax was a victim, and that is just not the case,” she said. “Equifax uses consumer data to make money.”
Paul Stephens, the director of policy and advocacy at Privacy Rights Clearinghouse in California, commended Congress for “not trying to sweep it under the rug.” But he also said Congress has utterly failed to pass meaningful legislation — with steep financial penalties — to hold companies accountable for data security.
“You need to create financial incentives either through penalties or other tactics to dissuade companies from being sloppy with personal data in the future,” Stephens said. “There need to be standards and companies need to be held accountable if they don’t meet those standards.”
Coyle agreed, even as she said she agreed with some of the House Oversight panel’s specific recommendations on issues such as Social Security numbers.
After the breach
In addition to the congressional probe, a coalition of state attorneys general, including Georgia’s Chris Carr, launched an investigation into the hacking. The U.S. Attorney’s Office in Atlanta is also leading a federal criminal probe into the breach as well as a criminal investigation into allegations of insider trading by Equifax employees.
Two former Equifax employees were indicted on securities fraud charges earlier this year, and one pleaded guilty to trading his shares before the hacking was made public.
The breach led to the downfall of then-CEO Rick Smith, who over his tenure transformed the company from a pure credit bureau into a mammoth data analysis machine. Other senior executives also left the company, including the chief information and chief security officers at the time of the breach.
In the more than 14 months since the breach was disclosed, Equifax has also hired cybersecurity consultants and beefed up its data protections.
The company also cleaned house, appointing a new executive leadership team.
But mostly, Equifax has plowed ahead.
The company reported $2.6 billion in revenue and $274.2 million in profit through the first nine months of 2018.
In 2017, the company reported $113.3 million in pretax costs related to the hacking, and tens of millions more in costs related to providing a suite of credit protection services to consumers affected by the breach, according to securities filings.
Equifax said in its latest quarterly filing that it expects “to incur significant professional services expenses associated with the 2017 cybersecurity incident in future periods,” as well as costs related to technology and security improvements.
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.