A report by the House Oversight Committee has found that Equifax’s massive data breach could have been easily prevented if its security practices and policies were up to par.
Last year, the credit monitoring firm suffered a breach that impacted the personal data of more than 143 million consumers. Impacted data included names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, 209,000 consumer accounts were accessed, as well as certain dispute documents with personal data for approximately 182,000 consumers.
Now, after reviewing over 122,000 pages of documents, conducting transcribed interviews with three former Equifax employees directly involved with IT and meeting with numerous current and former Equifax employees, the firm hired to investigate the incident has found that the breach was “entirely preventable.”
“Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented,” the report stated.
Investigators noted that the company failed to implement “clear lines of authority” within its IT department, as well as maintained complex and outdated IT systems that made securing data and preventing breaches a challenge. In addition, Equifax allowed more than 300 security certificates to expire, including 79 certificates for monitoring business-critical domains.
Even after making the data breach public, Equifax was ill-equipped to identify, alert and support consumers impacted by it.
“The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity,” the report added.
The report also made seven specific recommendations that Equifax should implement in order to protect consumers, boost oversight, accountability and transparency, as well as bring its IT security solutions to the proper standards. The Committee pointed out that all its recommendations “will require the work of Congress, the executive branch and the private sector.”