Equifax Breach Was Just as Infuriating and Dumb as You Thought, New House Report Finds

Former CEO of Equifax Richard Smith testifies during a hearing before Senate Commerce, Science and Transportation Committee November 8, 2017 on Capitol Hill in Washington, DC.
Photo: Getty/Alex Wong

House Republicans spent 14 months investigating the 2017 Equifax breach only to reach the same conclusions that virtually everyone else with a brain did in the immediate aftermath of the company’s disclosure. The breach was “entirely preventable,” lawmakers found, and the credit reporting agency’s shit management did absolutely nothing to shield consumers from this mess.

Luckily for Equifax, the same lawmakers who helped produce a new report have managed to pass precisely zero laws that would deter future acts of negligence on this scale. The only recompense consumers have been offered is free credit freezes forever—a useful tool for the next time 147 million people minding their own business get screwed with their pants on.

Advertisement

The full report, published by House Oversight and Government Reform Committee Republicans on Monday, is 96 pages long and offers Equifax some decent, if not totally obvious, advice, such as: “Reduce use of Social Security Numbers as personal identifiers” and “implement modernized IT solutions,” won’t you please.

But there’s really no need to read past the summary unless you enjoy making your blood boil. It spells it all out pretty clearly. And though we’ve all known this information for some time, now it’s all written out underneath a fancy and very official-looking seal.

Here’s a summary of the findings in full:

Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.

Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.

Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.

Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.

Unprepared to support affected consumers. After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.

Advertisement

You can a full copy of the report here in all its abysmal glory.

The debate over how to handle this type of corporate malfeasance spiked last year, and although Facebook seemed to have reignited it this summer with its own numerous data-related failures and executive showings of ignorance and disrespect, it’s anyone’s guess whether Congress will ever get its shit together.

Advertisement

However, some lawmakers have come to the conclusion that this will never end and that we’re bound to watch “Equifax-like” disasters occur over and over until the government starts imposing massive fines and threatens to drag corporate executives off to jail.

That plan seems perfectly sensible—after all, we’ve already tried not holding anybody accountable, and that doesn’t really appear to be working.

Advertisement

Share This Story

About the author

Dell Cameron

Privacy, security, tech policy | Got a tip? Email: dell@gizmodo.com | Send me encrypted texts using Signal: (202)556-0846

EmailTwitterPosts
PGP Fingerprint: A70D 517E FB9A 02C9 C56E 86D5 877E 64E7 10DF A8AEPGP Key
OTR Fingerprint: 2374A8EA 6D2B7712 0D82D659 C0FE8253 A3F080FD