“Had the company taken action to address its observable security issues prior to this cyber attack, the data breach could have been prevented,” according to the report, which was released Monday and prepared by the committee’s Republican staff.
Equifax didn’t have clear “lines of authority” for ensuring digital security and failed to patch its systems when a vulnerability was publicly disclosed in 2017, according to the report. Driven by an aggressive growth campaign, Equifax began in 2005 to collect vast amounts of new data. The company did so without having an adequate plan to protect it, committee staff said.
In a statement following the release of the report on Monday, Equifax said that since the incident, it has taken “meaningful steps” to improve security. The company also said that the House Oversight Committee report contained “significant inaccuracies” and that the committee didn’t provide Equifax with sufficient time to review the report.
“While we believe that factual errors serve to undermine the content of the report, we are generally supportive of many of the recommendations the committee laid out for the government and private industry to better protect consumers, and have already made significant strides in many of these areas,” Equifax said in its statement.
Report’s Recommendations
In a set of recommendations, committee staff said the Federal Trade Commission may need “additional oversight authorities and enforcement tools” to protect consumer data. The report also encouraged companies to be more transparent about cyber risks and data protection.
Democrats on the oversight and technology committees issued a separate report Monday, saying the Republicans didn’t incorporate necessary reforms to help prevent data breaches in the future. They recommended legislation on how to notify victims of a data breach and, like the Republicans, strengthening the FTC.
Hackers gained access to the Equifax network in mid-May 2017 and attacked the company for 76 days, according to the report. Equifax noticed “red flags” in late July, and then in early August contacted the Federal Bureau of Investigation, outside counsel and cyber-security firm Mandiant. The company waited until September to inform the public of the breach.
Software Vulnerability
Equifax had previously said that the hackers exploited a software vulnerability known as Apache Struts CVE-2017-5638. The Apache Software Foundation, which oversees the open-source software, had issued a patch for the flaw in March 2017, two months before hackers began accessing Equifax data.
Equifax has faced withering criticism over its failure to quickly apply the patch. In the report released Monday, the committee said Equifax was aware it had issues with its patching processes after it conducted an audit of those procedures in 2015.
But it wasn’t just this vulnerability that enabled the hackers to carry out the attack. Once they gained access to the network, they found a file containing unencrypted user names and passwords, according to the report. And an expired security certificate on a device for monitoring network traffic meant that Equifax didn’t detect that data was being stolen.
“This audit found a number of significant deficiencies within the patching process at Equifax,” according to the report.
Email Dispute
During last year’s congressional hearings over the breach, the company’s former chief executive officer, Richard Smith, said Equifax was breached largely because an employee didn’t forward an email that directed the firm’s technology team to fix the software vulnerability. Monday’s report said that the employee was Graeme Payne, the former senior vice president and chief information officer for Equifax’s global corporate platforms.
In an interview with the committee, Payne said he believed Smith’s testimony was a “gross simplification” of what had occurred and said he was never directed to forward such emails, according to the report.
The company was also caught unprepared to deal with the size of the breach, which ultimately amounted to 56 percent of the adult U.S. population.
“The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services,” according to the report.