The House Oversight and Government Reform Committee today released a report on the hack of credit reporting agency Equifax Inc., finding that the company didn’t take basic security measures that may have prevented the hack.

Equifax first reported that it had been hacked in September 2017, saying that the records of 143 million people had been stolen, later revising that figure to 146.6 million.

Of those, almost all of them had Social Security numbers exposed. Some 99 million saw their address information exposed, 20.3 million had phone numbers revealed and 17.6 million people’s driver’s licenses were breached.

The committee found, after 14 months of looking into the matter, that the hack was entirely preventable. “Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the committee said. “Had the company taken action to address its observable security issues, the data breach could have been prevented.”

A lack of accountability and the management structure of Equifax was cited as contributing to the hack, including a failure to implement clear lines of authority within its internal information technology management structure, leading to an execution gap between IT policy development and operation. Also cited: outdated and complex IT systems, including what the committee described as antiquated, custom-built legacy systems.

Arguably the most damning finding by the committee was a complete failure by the company to implement even basic security requirements.

“Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains,” the committee said. “Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.”

Perhaps unsurprisingly, Equifax was critical of the committee’s findings, complaining that it was not given enough time to review the report before its publication. It also claimed to have “identified significant inaccuracies and disagree with many of the factual findings.”

The report concluded that Congress needs to boost the oversight powers of the Federal Trade Commission as well as get the U.S. Securities and Exchange Commission to work with the private sector on disclosure of cybersecurity-related matters.

Photo: Wikimedia Commons