Senate committee report: "Repeated failures to protect sensitive information of more than 145 million Americans." Carper calls for legislative action on security standards.
"For years, Equifax neglected cybersecurity and repeatedly ignored potential vulnerabilities, which, ultimately, led to a massive breach," said Sen. Tom Carper.
“This report documents the failure of Equifax to follow basic cyber security practices and protect consumer information,” said Sen. Rob Portman (R-Ohio).
Today, Carper and Portman, the Ranking Member and Chairman of the Permanent Subcommittee on Investigations, published a new report detailing the repeated failures over years on the part of Equifax, one of the nation’s largest consumer reporting agencies, that led to a devastating data breach in 2017.
Link to the full report (PDF)
As a result of poor cybersecurity practices, Equifax failed to adequately protect the sensitive information of over 145 million Americans, including information on driver’s licenses, passports and Social Security numbers.
The latest report makes clear that, for years, Equifax neglected cybersecurity and, thus, left itself – and millions of American households – open to attack. The damage done by the hackers could have been minimized if Equifax had prioritized widely agreed upon cybersecurity protocols. As a result of the company’s poor cybersecurity practices, hackers had access to consumers’ personal information for nearly four months before Equifax even notified the public.
By comparison, TransUnion and Experian, Equifax’s two largest competitors, received the same information regarding potential vulnerabilities, yet there is no indication that either were attacked by hackers seeking to exploit the vulnerabilities.
Unfortunately, the American public may never know the full story behind the 2017 Equifax breach because company officials failed to retain key records from that time. The records of extensive internal discussions among Equifax officials about the data breach in real time were determined by the company to be disposable.
The report’s key findings include:Unfortunately, the American public may never know the full story behind the 2017 Equifax breach because company officials failed to retain key records from that time. The records of extensive internal discussions among Equifax officials about the data breach in real time were determined by the company to be disposable. After being warned by the Department of Homeland Security about a critical vulnerability in certain versions of Apache Struts – a widely-used piece of web application software – and being informed that the vulnerability was easy to exploit, Equifax conducted scans of its network, but none of the scans identified the vulnerable version of Apache Struts running on Equifax’s network. Equifax officials knew the limitations of these scans since the company was aware it lacked a full inventory of its IT assets. Equifax staff who were aware of Equifax’s use of Apache Struts were left off of the incomplete email distribution list used to circulate information about the Apache Struts vulnerability. Because Equifax decided to structure its networks in such a way as to support efficient business operations rather than security protocols, the hackers were able to access significant amounts of data, including even more unencrypted usernames and passwords that had been stored by Equifax employees on a file share. Equifax allowed a key tool used to monitor IT assets for malicious web traffic to expire in November 2016. As a result, the hackers’ presence in the company’s network went entirely undetected for 78 days. Because Equifax was unaware of all the IT assets it owned, unaware of the need to patch the Apache Struts vulnerability, and unable to detect attacks on key portions of its network, hackers had access to consumers’ personal information for nearly four months before the company informed the public. In interviews the Subcommittee conducted with multiple current and former Equifax employees from the information security and IT departments, most believed that the actions taken were an appropriate response to the Apache Struts vulnerability. Both TransUnion and Experian, Equifax’s largest competitors, deployed software to verify the installation of security patches, ran scans more frequently and maintained an up-to-date IT asset inventory. There is no indication that either was attacked by hackers seeking to exploit the Apache Struts vulnerability.
“This report documents the failure of Equifax to follow basic cybersecurity practices and protect consumer information,” said Senator Portman.
“Companies and government agencies, alike, must take steps to protect the data consumers entrust to them. And when that data is compromised, we deserve to know as soon as possible so we can make sure criminals are not taking advantage of us. I look forward to working with Senator Carper on legislation to ensure both the protection of consumer data and prompt notification when data is compromised.”