WASHINGTON, D.C. – Today, U.S. Senators Rob Portman (R-OH) and Tom Carper (D-DE), the Chairman and Ranking Member of the Permanent Subcommittee on Investigations (PSI), released a new report detailing the repeated failures over years on the part of Equifax, one of the nation’s largest consumer reporting agencies, that led to a devastating data breach in 2017. As a result of poor cybersecurity practices, Equifax failed to adequately protect the sensitive information of more than 145 million Americans, including information on driver’s licenses, passports and Social Security numbers.
The latest PSI report makes clear that, for years, Equifax neglected cybersecurity and, thus, left itself – and millions of American households – open to attack. In addition, the damage done by the hackers could have been minimized if Equifax had prioritized widely agreed upon cybersecurity protocols. As a result of the company’s poor cybersecurity practices, hackers had access to consumers’ personal information for nearly four months before Equifax even notified the public.
By comparison, TransUnion and Experian Equifax’s two largest competitors, received the same information regarding potential vulnerabilities, yet there is no indication that either were attacked by hackers seeking to exploit the vulnerabilities.
Unfortunately, the American public may never know the full story behind the 2017 Equifax breach because company officials failed to retain key records from that time. The records of extensive internal discussions among Equifax officials about the data breach in real time were determined by the company to be disposable.
Tomorrow, PSI will hold a hearing entitled, “Examining Private Sector Data Breaches” at which the CEOs of Equifax and Marriott International will testify.
“This report documents the failure of Equifax to follow basic cyber security practices and protect consumer information,” said Senator Portman. “Companies and government agencies, alike, must take steps to protect the data consumers entrust to them. And when that data is compromised, we deserve to know as soon as possible so we can do everything we can to ensure criminals are not taking advantage of us. I look forward to working with Senator Carper on legislation to ensure both the protection of consumer data and prompt notification when data is compromised.”
“You can’t unring the bell once someone’s personal information has been exposed, which is why it is particularly important that consumer reporting agencies – businesses that rely on the collection of personal data – prioritize good cybersecurity practices. Unfortunately, over the course of a more than 17-month investigation, this Subcommittee has found that Equifax did just the opposite. For years, Equifax neglected cybersecurity and repeatedly ignored potential vulnerabilities, which, ultimately, led to a massive breach that compromised the sensitive information of more than 145 million Americans – nearly half the country,” said Senator Carper. “Our bipartisan report shows that this breach could have been minimized, if not avoided. Equifax’s two largest competitors – TransUnion and Experian – received the same information about potential vulnerabilities, took proper steps to secure their systems and, to date, have avoided a breach. What’s more, the public, including the victims of this massive breach, may never get the full story since Equifax officials failed to preserve key internal records during and after the breach. It is my hope that, by shedding light on Equifax’s inadequate cybersecurity practices that led to this devastating data breach, other U.S. companies can avoid similarly devastating breaches that leave millions of American households exposed to hackers. Both private and public entities should feel a sense of urgency to bolster their cyber defenses, and these findings should finally galvanize Congress, along with the Administration, to formalize best practices for companies across this country and put in place nationwide standards in order to adequately protect consumers. We owe it to American consumers to begin restoring their confidence in the ability of institutions to keep their personal information safe and secure.”
The report’s key findings include:
- Unfortunately, the American public may never know the full story behind the 2017 Equifax breach because company officials failed to retain key records from that time. The records of extensive internal discussions among Equifax officials about the data breach in real time were determined by the company to be disposable.
- After being warned by the Department of Homeland Security about a critical vulnerability in certain versions of Apache Struts – a widely-used piece of web application software – and being informed that the vulnerability was easy to exploit, Equifax conducted scans of its network, but none of the scans identified the vulnerable version of Apache Struts running on Equifax’s network. Additionally, Equifax officials knew the limitations of these scans since the company was aware it lacked a full inventory of its IT assets.
- Equifax staff who were aware of Equifax’s use of Apache Struts were left off of the incomplete email distribution list used to circulate information about the Apache Struts vulnerability.
- Because Equifax decided to structure its networks in such a way as to support efficient business operations rather than security protocols, the hackers were able to access significant amounts of data, including even more unencrypted usernames and passwords that had been stored by Equifax employees on a file share.
- Equifax allowed a key tool used to monitor IT assets for malicious web traffic to expire in November 2016. As a result, the hackers’ presence in the company’s network went entirely undetected for 78 days.
- Because Equifax was unaware of all the IT assets it owned, unaware of the need to patch the Apache Struts vulnerability, and unable to detect attacks on key portions of its network, hackers had access to consumers’ personal information for nearly four months before the company informed the public.
- In interviews the Subcommittee conducted with multiple current and former Equifax employees from the information security and IT departments, most believed that the actions taken were an appropriate response to the Apache Struts vulnerability.
- Both TransUnion and Experian, Equifax’s largest competitors, deployed software to verify the installation of security patches, ran scans more frequently and maintained an up-to-date IT asset inventory. There is no indication that either was attacked by hackers seeking to exploit the Apache Struts vulnerability.
A copy of the full report is available here.