A new report from House Oversight Committee says the massive Equifax [EFX] data breach, which affected 148 million Americans, was “entirely preventable” and new reforms are required to better protect consumer information.
The report, released on Monday, says the Consumer Reporting Agency (CRA) failed to fully patch its systems after discovering a software flaw and lacked the necessary structure to mitigate risks in the wake of the 2017 breach.
“Equifax…failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable,” the committee wrote in the report.
Lawmakers concluded in their 14-month long investigation that the Equifax’s aggressive growth strategy over the last decade led to an over reliance outdated, vulnerable IT systems and allowed over 300 security certificates to expire.
In a statement, Equifax said the report contains inaccuracies and contended they were not given adequate time to respond to the committee’s findings.
“We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information. During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings,” Equifax officials said in a statement.
Company IT officials identified a software flaw in March 2017 and attempted to patch its assets, but left its Automated Consumer Interview System with the known vulnerability, according to the report. By May 2017, hackers had launched an attack through the system exposing 148 million Americans’ sensitive data.
“Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner,” the committee wrote in the report.
The report recommends CRA implement improved transparency measures and calls for a review of Federal Trade Commission authorities to ensure the agency has the necessary enforcement tools to more effectively monitor data security practices.
Lawmakers are also calling on GAO to provide a report to Congress on the current effectiveness of identity monitoring and protection services offered to victims of a breach.
“The Equifax data breach and federal customers’ use of Equifax identity validation services highlight the need for the federal government to be vigilant in mitigating cybersecurity risk in federal acquisition,” the committee wrote in its report.
Committee members are also suggesting the SEC push for cyber risk disclosures in company filings and a continued effort from the OMB to develop requirements to hold firms liable for data losses.
“There should be a government-wide framework of cybersecurity and data security risk-based requirements,” lawmakers wrote in the report.