Following a long investigation, Republicans on the House Oversight Committee concluded Monday that last year’s massive data breach at Equifax was fully preventable. But they did not recommend the passage of new legislation aimed at averting future cybersecurity fiascoes.
The 96-page report drew criticism from both Equifax, which said the congressional panel did not give the company enough time to respond to highly technical findings, and Democrats on the committee, who complained that their recommendations were ignored.
Still, the report will likely be studied by cybersecurity professionals at U.S. banks, which, like Equifax, possess mountains of sensitive personal information and often rely on layers of technology built on top of outdated computer systems.
Some 148 million consumers, or 56% of all U.S. adults, were affected by the Equifax breach.
The report by Republican congressional staffers blamed Equifax for failing to implement a security program adequate enough to protect the vast amount of personal data the company maintains.
It also pointed to the Atlanta firm’s aggressive growth strategy in the years before the breach, which brought increasing complexity to its information technology systems.
Moreover, the report found a lack of accountability and no clear lines of authority in Equifax’s IT management structure. Investigators found that the credit reporting firm allowed more than 300 security certificates to expire, including 79 that related to business critical domains.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the report stated. “Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”
Finally, the report blamed Equifax for failing to make adequate preparations ahead of its public disclosure of the breach on Sept. 7, 2017. Call centers and a website that had been established for affected consumers were unable to handle the large volume of traffic.
The report included a series of recommendations for both the private sector and government agencies. For example, it called on credit reporting firms such as Equifax to offer consumers a free summary each year of the personal information they hold on that individual.
The committee also recommended that the Government Accountability Office examine the effectiveness of identity monitoring and protection services, and offer its conclusions to Congress. And it said that federal agencies should work with the private sector to reduce the widespread reliance on Social Security numbers as a means of identifying and authenticating individuals.
In a separate report released Monday, Democrats on the House Oversight Committee called for the passage of new data breach legislation.
Their proposals include a law that would set uniform standards regarding the notification of consumers about breaches. The House Democrats also want to strengthen the Federal Trade Commission’s authority in situations where data security requirements are violated.
They said that the investigation of the Equifax breach by two House committees was bipartisan, but that Democratic recommendations were ignored in the Oversight Committee’s final report.
“This was a missed opportunity to convert the committees’ oversight efforts into concrete reforms that would help prevent future data breaches, hold companies accountable, and protect American consumers and their sensitive personal information,” the Democrats wrote.
The top Democrat on the House Oversight Committee, Rep. Elijah Cummings of Maryland, is expected to become the committee’s chairman in January.
Rep. Maxine Waters, a California Democrat who is poised to become chair of the House Financial Services Committee, has vowed to hold Equifax accountable for last year’s data breach.
In an emailed statement, Equifax said Monday that it worked in good faith for almost 15 months with the House Oversight Committee but that it did not get enough time to study the committee’s findings before their public release.
“During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings,” the company’s statement said.
“This is unfortunate and undermines our hope to assist the committee in producing a credible and thorough public resource for those who wish to learn from our experience managing the 2017 cybersecurity incident.”
