House Oversight and Government Reform Committee Republicans released a staff report after the committee’s 14-month investigation into the Equifax data breach, one of the largest data breaches in U.S. history.
Through the investigation, the committee reviewed more than 122,000 pages of documents, conducted transcribed interviews with three former Equifax employees directly involved with IT, and met with numerous current and former Equifax employees, in addition to Mandiant, the forensic firm hired to conduct an investigation of the breach.
Read the full report here.
- Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.
- Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
- Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
- Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
- Unprepared to support affected consumers. After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.
As one of the largest consumer reporting agencies in the United States, Equifax has a heightened responsibility to protect consumer data. The government also plays a key role in partnering with the private sector to prevent and mitigate cyberattacks.
The committee’s report details seven recommendations to protect consumers, increase oversight, accountability, and transparency, and modernize IT security solutions. These recommendations will require the work of Congress, the executive branch, and the private sector.