data breach

According to a report from the House Oversight Committee, Equifax didn’t take steps to prevent a massive data breach that occurred in 2017.  As you’re probably aware, it was during that data breach that hackers were able to steal the personal information of 147.7 Americans from their servers.  The report also suggests that they weren’t able to handle what happened in the aftermath, either.  In fact, the report also suggests that the breach was “entirely preventable”.

The 96-page report said that Equifax lacked clear lines of authority in its IT department.  What does this mean? Essentially that the IT department didn’t have important security measures in place where they should have been.  Further, Equifax’s collection of sensitive consumer information was spread out among out-of-date, custom-built systems.  The committee was specifically critical of Equifax’s former CEO Richard Smith.  According to the report, Smith led a strategy of acquiring businesses that collect consumer data and amassing a huge trove of data without implementing a solid strategy to secure it.

The report essentially slammed the credit rating agency’s poor security practice – especially given the fact that data was involved.  The report also noted that consumers didn’t have the option to “opt out” of the information collection process. This sounds a lot like some other organization, doesn’t it?  It also sounds like they are placing a little bit of blame onto the committee, rather than taking accountability for their own actions.  That said, the report was scathing.  Smith boasted that the credit giant held “almost 1,200 times” the data that was held in the Library of Congress every single day.  Why boast that?  It sounds like he was just bragging, and regardless of that, it was problematic

David Webb, Equifax’s own former chief of information gave the following statement to the House Committee:

“Equifax did not see the data exfiltration because the device used to monitor [the vulnerable server’s] network traffic had been inactive for 19 months due to an expired security certificate. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.” 

This is Equifax’s statement to the report: 

“We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information. During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings. This is unfortunate and undermines our hope to assist the Committee in producing a credible and thorough public resource for those who wish to learn from our experience managing the 2017 cybersecurity incident. Equifax has worked in good faith for nearly 15 months with the Committee to be transparent, cooperative and shed light on our learnings from the incident in order to enrich the entire cybersecurity community. Since the incident, Equifax has moved forward, taking meaningful steps to enhance our technology and security programs and will continue to focus on consumers, customers and regaining trust with all stakeholders.”