Cyber security wasn’t a priority at Equifax [EFX] before a massive data breach the credit reporting company disclosed in September 2017 and it lacked a sustained and comprehensive effort to fix known vulnerabilities, a bipartisan Senate investigative panel says in a new report.

“Equifax had no standalone written corporate policy governing the patching of known cyber vulnerabilities until 2015,” says the report by the Permanent Subcommittee on Investigations, which is under the Senate Homeland Security and Governmental Affairs Committee. It says an audit done after the policy was implemented uncovered 8,500 unpatched and known vulnerabilities, of which over 1,000 were deemed medium to critical in risk but were not addressed in accordance with the new guidance.

Sen. Tom Carper (D-Del.)

“Former top Equifax official we interviewed were very frank about the priority they placed on cyber security,” Sen. Tom Carper (D-Del.), said on Thursday in in opening remarks at a subcommittee hearing to discuss private sector data breaches and potential legislation to help create standards for companies to abide by to strengthen data security and notify affected victims within a certain timeframe.

“One key former security official told subcommittee staff that ‘security wasn’t first’ at Equifax,” Carper said. “The company’s former chief information officer was extremely dismissive of the importance of key security processes during his interview, saying that he considered the patching of security flaws to be a ‘lower level responsibility that was six levels down’ from him.”

The Equifax breach involved personally identifiable information such as names, birth dates, addresses, driver’s licenses numbers, and Social Security Numbers. The breach was discovered in July 2017 and eventually led to the resignation of its CEO at the time.

Mark Begor, who joined Equifax in April 2018 as its CEO, told the subcommittee that the company at the time of the breach did take cyber security seriously and that its data security program was “well-funded and staffed, based on a robust set of policies, standards, and procedures, and supported by general specialized training.”

Still, Begor said the company could have done more and that since his hiring has hired 1,000 new employees with cyber security and technology expertise, increased spending on security by 50 percent, has made security part of the company’s “DNA,” and is moving toward becoming a leader in data security.

Begor noted that there is no evidence that the data stolen from the company has been sold or used for identity theft.

Sen. Kamala Harris (D-Calif.), cited a former senior intelligence official telling CNBC that the data was probably stolen from a foreign intelligence agency, “which would explain why the stolen information has not been used for garden variety crimes.”

The subcommittee’s 71-page report, How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach, makes five recommendations, including calling for Congress to pass a law that creates a national uniform standard requiring private entities that collect and store PII to take reasonable and appropriate steps to prevent cyberattacks and data breaches.” PII refers to personally identifiable information. The report also recommends legislation that requires private entities that suffer a data breach to notify appropriate authorities and affected consumers “without unreasonable delay.”

Begor and Arne Sorenson, president and CEO of the global hospitality company Marriott International [MAR], both told the panel they are subject to dozens of state data breach laws that are all different in terms of their requirements. Begor said Equifax supports federal legislation to unify the standards and Sorenson said such legislation would make it “simpler” for Marriott to comply with.