UPDATED 21:43 EST / DECEMBER 10 2018

SECURITY

Congress finds Equifax failed to take basic security measures prior to being hacked

The House Oversight and Government Reform Committee today released a report on the hack of credit reporting agency Equifax Inc., finding that the company didn’t take basic security measures that may have prevented the hack.

Equifax first reported that it had been hacked in September 2017, saying that the records of 143 million people had been stolen, later revising that figure to 146.6 million.

Of those, almost all of them had Social Security numbers exposed. Some 99 million saw their address information exposed, 20.3 million had phone numbers revealed and 17.6 million people’s driver’s licenses were breached.

The committee found, after 14 months of looking into the matter, that the hack was entirely preventable. “Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the committee said. “Had the company taken action to address its observable security issues, the data breach could have been prevented.”

A lack of accountability and the management structure of Equifax was cited as contributing to the hack, including a failure to implement clear lines of authority within its internal information technology management structure, leading to an execution gap between IT policy development and operation. Also cited: outdated and complex IT systems, including what the committee described as antiquated, custom-built legacy systems.

Arguably the most damning finding by the committee was a complete failure by the company to implement even basic security requirements.

“Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains,” the committee said. “Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.”

Perhaps unsurprisingly, Equifax was critical of the committee’s findings, complaining that it was not given enough time to review the report before its publication. It also claimed to have “identified significant inaccuracies and disagree with many of the factual findings.”

The report concluded that Congress needs to boost the oversight powers of the Federal Trade Commission as well as get the U.S. Securities and Exchange Commission to work with the private sector on disclosure of cybersecurity-related matters.

Photo: Wikimedia Commons

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.