A recent report made by the U.S. House Committee on Oversight and Government Reform found that last year’s Equifax data breach, which left over 148 million people’s information vulnerable, was avoidable. According to MarketWatch, structural flaws led to miscommunication between Equifax’s IT policy development and operation teams, leaving them vulnerable to a 76-day attack in which hackers extracted unencrypted data 265 times.
Additionally, Equifax was aware of flaws such as their inability to patch systems efficiently and did not renew a particular vulnerability for 9 months. The report also criticized how the company reacted to the situation’s aftermath, saying that 1,500 employees were not trained to properly handle customer questions, and that the Equifax Twitter account directed followers to a nefarious website for two weeks after the incident.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the staff majority report said. “As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.”
Equifax claims to have found “significant inaccuracies” in the report.
“This is unfortunate and undermines our hope to assist the Committee in producing a credible and thorough public resource for those who wish to learn from our experience managing the 2017 cybersecurity incident,” explained an Equifax spokeswoman. “Since the incident, Equifax has moved forward, taking meaningful steps to enhance our technology and security programs and will continue to focus on consumers, customers and regaining trust with all stakeholders.”
Chris Morales, head of security analytics at San Jose, Calif.-based security solution provider Vectra also found the report to not be totally representative of the incident.
“It is a classic ‘could have, should have’ scenario,” he said. “All networks have become highly complex and the failure comes down to people and process, not necessarily technology. As long as a motive exists, attackers will continuously attempt to compromise networks until they succeed.”
The committees provided Equifax with seven recommendations of how to strengthen their information security, including increasing transparency, modernizing internet technology, and holding federal contractors more accountable for cybersecurity.