US Senate castigates Equifax over data breach
Equifax failed to prioritise cybersecurity and left itself open to attack in the lead up to the massive 2017 data breach that compromised the personal information of more than 145 million Americans, a Senate investigation has found.
The Senate Homeland
Security and Governmental Affairs Committee’s Permanent Subcommittee on
Investigations’ report into the breach highlights numerous failings by the
credit rating agency both before and after the breach.
The investigation found problems with Equifax’s cyber-approach going back way before the breach. The firm had no standalone written corporate policy governing the patching of known cyber vulnerabilities until 2015.
Even when this was remedied and an audit found thousands of vulnerabilities, several issues were not actually addressed before the 2017 attack.
In addition, the report says that Equifax could not follow its own policies in patching the vulnerability that ultimately caused the breach and was unable to detect attackers entering its network because it failed to take steps to see incoming malicious traffic.
Even once the hackers were inside Equifax’s systems, the damage could have been minimised but usernames and passwords were saved on a file share by employees – a move designed to make business more efficient. In addition, Equifax did not have basic tools in place to detect and identify changes to files.
Equifax execs told the report authors that they did everything possible to prevent the breach, but the investigation notes that TransUnion and Experian handled the same risks and avoided being hacked.
Finally, Equifax is criticised for waiting six weeks to disclose the hack and for failing to preserve internal chat records related to the issue.
At a Senate committee hearing, Equifax CEO Mark Begor – who was not with the firm at the time of the hack – apologised.
However, he also pushed back against the report, insisting that “the fact that Equifax did not have an impenetrable information security program and suffered a breach does not mean that the Company failed to take cybersecurity seriously”.