A new Senate report claims Equifax neglected cybersecurity for years — and because of its “poor cybersecurity practices,” 145 million Americans had their personal information exposed in the company’s massive 2017 data breach.
“I was surprised that a company as big as Equifax who has so much sensitive data on so many people in this country was so ill prepared to anticipate a cyber attack and to be able to thwart it,” said Senator Tom Carper (D-DE) in an interview with Yahoo Finance.
The Equifax (EFX) and Marriott (MAR) CEOs testified about their companies’ data breaches before the committee on Thursday morning. In November 2018, Marriott said a data breach exposed the personal information of up to 500 million people.
The Permanent Subcommittee on Investigations (PSI), led by Sen. Rob Portman (R-OH) and Carper, released the bipartisan Equifax report on Wednesday.
The PSI report claims the damage done by hackers might have been avoided if Equifax had prioritized “widely agreed upon” cybersecurity protocols.
Portman and Carper say hackers had access to consumers’ personal information for nearly four months before Equifiax told the public.
“Companies and government agencies, alike, must take steps to protect the data consumers entrust to them. And when that data is compromised, we deserve to know as soon as possible so we can do everything we can to ensure criminals are not taking advantage of us. I look forward to working with Senator Carper on legislation to ensure both the protection of consumer data and prompt notification when data is compromised,” Portman said in a statement.
Report: Equifax failed to prioritize cybersecurity.
The report claims Equifax failed to retain key records from the time of the breach.
The investigation found Equifax let a tool used to monitor for malicious web traffic expire in November 2016, and the hackers’ presence in the company’s network went undetected in for 78 days.
Carper told Yahoo Finance Equifax could have seen the attack coming.
“There was a way to prepare for it, to defend against it. Their competitors did so,” said Carper. “Equifax failed to do these common sense procedures that I think even novices like us would've taken.”
The report found Equifax had no written policy for the patching of known cyber vulnerabilities until 2015. The company did not have a complete understanding of the IT assets it owned, because it did not have a comprehensive inventory — which made it nearly impossible for Equifax to know if vulnerabilities existed on its network, according to the PSI report.
The PSI report also says the company conducted an audit in 2015, but left several of the issues it found unaddressed in the months leading up to the 2017 data breach.
To read the key findings of the report click here.
In a statement Equifax said the company cooperated with the investigation.
“...while we do not agree with a number of findings and characterizations in the report, we remain committed to being transparent and cooperative, while sharing important learnings from the 2017 incident with the cybersecurity community. We have made significant progress since the incident to enhance our security and technology operations. We have hired highly qualified Chief Technology and Chief Information Security Officers reporting directly to the CEO, as well as nearly 1,000 full-time IT and security professionals. In addition, we have increased our technology and security spending by an incremental $1.25 billion between 2018 and 2020, and we will continue to invest heavily to transform our technology and security to industry-leading capabilities,” said Jacob Hawkins, an Equifax spokesperson.
The current Equifax CEO, Mark Begor, was not at the company during the time of the breach.
In the hearing on Thursday, Begor told senators “the fact that Equifax suffered a data breach does not mean the company did not have appropriate data security program or that the company failed to take cybersecurity seriously.”
The report recommends Congress pass legislation requiring private entities to notify consumers, law enforcement and regulatory agencies “without unreasonable delay.”
In the hearing, Carper said it is “long past time” for nationwide standard for data protection and data breach notification.
“The time is here to do it,” said Carper.
The report also says Congress should pass legislation requiring companies that collect and store personally identifiable information to take steps to prevent data breaches.
Jessica Smith is a reporter for Yahoo Finance based in Washington, D.C. Follow her on Twitter at @JessicaASmith8.