Attackers accessed the company’s systems 265 times.
The Equifax data breach that exposed the information of more than 148 million customers could have easily been prevented, a report released on Monday by the U.S. House Committee on Oversight and Government Reform found.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the staff majority report said. “As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.”
The report traced the breach to flaws in the company’s structure that led to a breakdown in communication between the company’s IT policy development and operation. This delayed many critical system patches, including one vulnerability that was not renewed for 19 months. Ultimately attackers orchestrated a 76-day assault on Equifax during which they extracted unencrypted data from Equifax systems 265 times. The company apparently had known about its inability to patch systems in a timely manner and did not fix it, the report found.
Even consumers who weren’t directly affected by the Equifax breach should take action to protect themselves, experts say. One important step is to freeze your credit, which can be now be done for free. An Equifax spokeswoman told MarketWatch the company worked “in good faith” with the Committee to share information on what it learned from the major breach and said it has identified “significant inaccuracies” in the 100-page report.
“This is unfortunate and undermines our hope to assist the Committee in producing a credible and thorough public resource for those who wish to learn from our experience managing the 2017 cybersecurity incident,” the Equifax spokeswoman said. “Since the incident, Equifax has moved forward, taking meaningful steps to enhance our technology and security programs and will continue to focus on consumers, customers and regaining trust with all stakeholders.”
The report also criticized the way Equifax handled fallout from the hack. The call center the company set up was quickly overwhelmed with calls from customers, and its 1,500 employees were not properly trained to answer customer questions, the report found. The official Equifax Twitter account mistakenly directed customers to a nefarious website for two weeks following the hack.
Despite these missteps, Chris Morales, head of security analytics at San Jose, Calif.-based security solution provider Vectra, said he does not think the breach was “entirely preventable” as the report concluded.
“It is a classic ‘could have, should have’ scenario,” he said. “All networks have become highly complex and the failure comes down to people and process, not necessarily technology. As long as a motive exists, attackers will continuously attempt to compromise networks until they succeed.”
Still, the committee made seven recommendations to prevent future incidents like these at Equifax and similar companies, including increasing transparency, modernizing internet technology, and holding federal contractors more accountable for cybersecurity.
The committee also suggested reducing the use of Social Security numbers as personal identifiers, a move that has been floated in the past by the Trump administration. Rob Joyce, special assistant to the president and White House cybersecurity coordinator said at a conference in 2017 that the Social Security number “has outlived its usefulness.” However, switching away from Social Security numbers is not a fix-all, said Nathan Wenzler, Senior Director of Cybersecurity at Moss Adams, a Seattle, Wash. based accounting, consulting and wealth management firm.
“SSNs aren’t a great security tool, but replacing them with another number would require a vast overhaul of technology systems worldwide, and still leave us with another identifier that could likely be stolen or compromised by the next big data breach,” he said.