Equifax’s lag in security growth led to 2017 hack, report says
Firm failed to match defence to growth, leading to data breach of 148 million people
Equifax Inc. failed to modernize its technology security to match the company’s aggressive growth strategy and data gathering, a shortcoming that left it open to the 2017 hack that compromised the information of 148 million people — including 19,000 in Canada — according to a U.S. House Oversight Committee report.
“Had the company taken action to address its observable security issues prior to this cyber attack, the data breach could have been prevented,” according to the report, which was released Monday and prepared by the committee’s Republican staff.
Equifax didn’t have clear “lines of authority” for ensuring digital security and failed to patch its systems when a vulnerability was publicly disclosed in 2017, according to the report. Driven by an aggressive growth campaign, Equifax began in 2005 to collect vast amounts of new data. The company did so without having an adequate plan to protect it, committee staff said.
In a statement following the release of the report on Monday, Equifax said that since the incident, it has taken “meaningful steps” to improve security. The company also said that the House Oversight Committee report contained “significant inaccuracies” and that the committee didn’t provide Equifax with sufficient time to re- view the report.
“While we believe that factual errors serve to undermine the content of the report, we are generally supportive of many of the recommendations the committee laid out for the government and private industry to better protect consumers, and have already made significant strides in many of these areas,” Equifax said in its statement.
In a set of recommendations, committee staff said the Federal Trade Commission may need “additional oversight authorities and enforcement tools” to protect consumer data. The report also encouraged companies to be more transparent about cyber risks and data protection.
Democrats on the oversight and technology committees is- sued a separate report Monday, saying the Republicans didn’t incorporate necessary reforms to help prevent data breaches in the future. They recommended legislation on how to notify victims of a data breach and, like the Republicans, strengthening the FTC.
Hackers gained access to the Equifax network in May 2017 and attacked the company for 76 days, according to the report. Equifax noticed “red flags” in late July, and then in early August contacted the Federal Bureau of Investigation, outside counsel and cybersecurity firm Mandiant. The company waited until September to inform the public of the breach.
Equifax had previously said that the hackers exploited a software vulnerability known as Apache Struts CVE-20175638. The Apache Software Foundation, which oversees the open-source software, had issued a patch for the flaw in March 2017, two months before hackers began accessing Equifax data.
Equifax has faced withering criticism over its failure to quickly apply the patch.