Time and again, Equifax
disregarded warning signs of security vulnerabilities in its IT network,
displaying a clear sign of “negligence,” before and after the 2017 data breach,
a report by a US Senate subcommittee on Homeland Security and Governmental
The “negligence” of the credit
rating monitor, one of the top three in the business, eventually led to the compromise
of personal details of over 145 million Americans. To prevent a repeat of such
security dysfunction and incompetence, the committee urges Congress to review cybersecurity
policies and procedures.
“Pass legislation that
establishes a national uniform standard requiring private entities that collect
and store PII [personally identifiable information] to take reasonable and
appropriate steps to prevent cyber-attacks and data breaches” and require
“private entities that suffer a data breach to notify affected consumers, law
enforcement, and the appropriate federal regulatory agency without unreasonable
delay” are among the top suggestions.
Equifax is not the only entity to
fall victim to such a major data breach. In the past 10 years, companies such
as Uber, Yahoo!, Anthem and Target also struggled with financial and
reputational damage following cyberattacks. Some of them learned from their
mistakes but, according to the investigative report, Equifax didn’t.
The company didn’t patch critical
vulnerabilities “in a timely manner” and it used an expired SSL certificate. Security
team members displayed a complete lack of communication and, worse, they
knowingly operated on vulnerable systems and insecure networks in 2015.
“Equifax’s system for
vulnerability scanning was a global process that was disconnected from the
company’s regional patch management process,” the study stated.
“Equifax’s former Director of the global threats and vulnerability
management team told Subcommittee staff that in some cases, patching was
regional, and some cases it was global.”
Mark Begor, the new CEO of
Equifax, was called before the Senate to testify. He defended the company,
saying that cybersecurity is important, yet the measures taken were not
“The fact that Equifax did not
have an impenetrable information security program and suffered a breach does not
mean that the company failed to take cybersecurity seriously,” Begor said.
“Before the cyberattack, I understand that the [Equifax’s] security program was
well-funded and -staffed, based on a robust set of policies, standards, and
procedures, and supported by general and specialized training.”
Senators also berated Marriott
for its data breach, which exposed personal information of 500 million guests,
one of the largest so far. However, they only partly blamed the hotelier.
“The data breach announced by
Marriott this past November does not appear to have been caused by the same
cultural indifference to cybersecurity the record indicates existed at Equifax,
rather, it looks like Marriott inherited this breach from Starwood,” said Sen.
Tom Carper, D-Del.