The cyber attack at Equifax that compromised data for nearly half of all Americans was the result of rapid growth that boosted company’s share price but left the the consumer credit bureau’s IT systems dangerously exposed to hackers. The massive data breach, which took advantage of known security vulnerabilities, “was entirely preventable,” according to a US House of Representatives committee report.
Although Equifax is far from alone—the Marriott-owned Starwood hotel chain and British Airways also reported huge hacker intrusions this year—the credit bureau breach remains one of the biggest known data thefts. The steady drumbeat of breaches signals consumers should be prepared for the worst and be ready to respond. However the House report also shows there’s room for companies to help prevent these incidents in the first place.
Equifax disclosed the cyber intrusion affecting more than 140 million people on Sept. 7, 2017. By that time, hackers had been inside Equifax systems and harvesting information since May. The vulnerability stemmed from a custom-built tech system that dated back to the 1970s and hadn’t received an important software patch, according to the 96-page report by the House Committee on Oversight and Government Reform. The US Department of Homeland Security had alerted Equifax to the software risk and the company’s teams had even discussed the necessary patch, yet it wasn’t fully implemented.
Credit-reporting agencies are a vital part of the US finance system, and their databases contain a vast trove of data that hackers can target. Yet the credit agencies surveil consumer spending and repayment habits without consent, and there’s no way to opt of their services.
Given the sensitivity of the personal data held, from Social Security numbers and birth dates to purchase histories, these agencies have a “heightened responsibility to protect consumer data by providing best-in-class data security,” according to the House report. ”Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the committee added. ”Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”
Equifax said it wasn’t given enough time to respond to the committee report and found inaccuracies during the “few hours” it had for a review. “Equifax has worked in good faith for nearly 15 months with the Committee to be transparent, cooperative and shed light on our learnings from the incident in order to enrich the entire cybersecurity community,” Equifax said in an email. “Since the incident, Equifax has moved forward, taking meaningful steps to enhance our technology and security programs.”
The report claims Atlanta-based Equifax made other mistakes, too. After detecting suspicious data transfers from an IP address in China in late July 2017, Equifax finally informed the public of the massive breach on Sept. 7 of that year. When it did, the company was unprepared for the massive support required to help consumers—an Equifax website and call centers “were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services,” according to the report.
Equifax’s IT department lacked accountability and didn’t have clear lines of management authority, the report said, which meant security concerns weren’t handled quickly and efficiently. Equifax’s rapid pace of acquisitions, which may have helped boost profits and its share price, also resulted in a complex, antiquated IT system that was ultimately proven vulnerable to hackers.
(This story has been updated with comment from Equifax.)