UPDATED 21:43 EDT / DECEMBER 10 2018

SECURITY

Congress finds Equifax failed to take basic security measures prior to being hacked

The House Oversight and Government Reform Committee today released a report on the hack of credit reporting agency Equifax Inc., finding that the company didn’t take basic security measures that may have prevented the hack.

Equifax first reported that it had been hacked in September 2017, saying that the records of 143 million people had been stolen, later revising that figure to 146.6 million.

Of those, almost all of them had Social Security numbers exposed. Some 99 million saw their address information exposed, 20.3 million had phone numbers revealed and 17.6 million people’s driver’s licenses were breached.

The committee found, after 14 months of looking into the matter, that the hack was entirely preventable. “Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the committee said. “Had the company taken action to address its observable security issues, the data breach could have been prevented.”

A lack of accountability and the management structure of Equifax was cited as contributing to the hack, including a failure to implement clear lines of authority within its internal information technology management structure, leading to an execution gap between IT policy development and operation. Also cited: outdated and complex IT systems, including what the committee described as antiquated, custom-built legacy systems.

Arguably the most damning finding by the committee was a complete failure by the company to implement even basic security requirements.

“Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains,” the committee said. “Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.”

Perhaps unsurprisingly, Equifax was critical of the committee’s findings, complaining that it was not given enough time to review the report before its publication. It also claimed to have “identified significant inaccuracies and disagree with many of the factual findings.”

The report concluded that Congress needs to boost the oversight powers of the Federal Trade Commission as well as get the U.S. Securities and Exchange Commission to work with the private sector on disclosure of cybersecurity-related matters.

Photo: Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.

  • 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
  • 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.