The US House of Representatives Committee on Oversight and Government Reform released its report on the Equifax breach. It found that the lack of modernized security controls combined with dozens of expired certificates created vulnerable systems and resulted in the data breach of 143 million records.
The cyberattack that started on May 13, 2017, lasted for 76 days, during which time malicious actors were able to access and exfiltrate unencrypted personally identifiable information hundreds of times, according to the report.
The breach resulted in CEO Richard Smith announcing his retirement on September 26, 2017, a little over a month after he had delivered a speech at the University of Georgia in which he explained that the company manages massive amounts of very unique data.
Smith stated: “We have data on approaching 100 million companies around the world. The data assets are so large, so unique it is...credit data, it is financial data – we have something like $20 trillion of wealth data on individuals, so how many annuities, mutual funds, equities you own. About $20 trillion on property data, so property that you might own – what the value was when you bought it, what it’s worth today. Utility data, marketing data, I could go on and on and on – but massive amounts of data.”
According to the committee’s findings, “Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation.”
“This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.”
In addition, building critical IT applications on custom-built legacy systems added to the complexity of Equifax’s systems, which was addressed too late to prevent the breach. The report noted that Equifax understood that operating legacy IT systems posed inherent security risks, as was evidenced by the company’s action to modernized its infrastructure – steps that should have been taken much sooner.
The committee concluded that “Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”