A new report from a government watchdog concludes that Equifax left information vulnerable on several fronts that led to hackers getting access to the sensitive personal information of millions of Americans.
The Government Accountability Office on Friday released its report on the one-year anniversary of the public disclosure at Equifax after being commissioned to write it by Sen. Elizabeth Warren, the Massachusetts Democrat who championed the creation of the Consumer Financial Protection Bureau, and Rep. Elijah Cummings, the Maryland Democrat who is the ranking member of the House Committee on Oversight and Government Reform. Oregon Senator Ron Wyden, the ranking member of the Senate Finance Committee and Rep. Trey Gowdy, the chairman of House Oversight were co-requesters with Warren and Cummings.
The GAO report describes in detail how hackers exploited significant vulnerabilities at EFX, +0.11% to gain access to the sensitive personal information of more than 145 million Americans.
According to the GAO, “Equifax determined that several major factors had facilitated the attackers’ ability to successfully gain access to its network and extract information from databases containing [personally identifiable information]” and that “key factors that led to the breach were in the areas of identification, detection, segmentation, and data governance.”
In addition, according to the GAO report, the lack of restrictions at Equifax on the frequency of database queries allowed the attackers to execute approximately 9,000 such queries without detection by Equifax or its internal or external auditors—many more than would be needed for normal operations.
“As described in the GAO report, since the 2017 cybersecurity incident, Equifax has taken significant steps to strengthen data security protocols and controls, evaluate and adjust data governance processes, and adjust our organizational structure to enhance management of cybersecurity risk,” Equifax said in a statement. “Although we do not agree with every characterization in the report, we appreciate the time and effort the U.S. Government Accountability Office took to conduct their review of the 2017 cybersecurity incident and cooperated in good faith with their efforts.”
Two Democrats say the report highlights the lack of any enforcement action yet by the Consumer Financial Protection Bureau and the Federal Trade Commission, the two agencies responsible for oversight of credit reporting agencies.
“One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information – and the Trump Administration and Republican-controlled Congress have done nothing, said Warren in a press release, who called for the passage of legislation called the Data Breach Prevention and Compensation Act.
Warren concluded in a prior report that Equifax:
•Set up a flawed system to prevent and mitigate data security problems;
•Failed to notify consumers, investors, and regulators about the breach in a timely and appropriate fashion;
•Took advantage of federal contracting loopholes and failed to adequately protect sensitive IRS taxpayer data;
•Provided inadequate assistance and information to consumers following the breach.
“This breach and the response by Equifax illustrate the need for federal legislation that establishes appropriate fines for credit reporting agencies that allow serious cybersecurity breaches on their watches and empowers the Federal Trade Commission to establish basic standards to ensure that credit reporting agencies are adequately protecting consumer data,” recommended Warren.
Equifax representatives also briefed Cummings and the House Oversight Committee staff in Oct. 2017 on the actions of its top officials relating to the massive data breach. “It is unclear why the company waited three days to inform the FBI, and it is also unclear whether Equifax contacted [the federal Computer Emergency Readiness Team] during this time, particularly since the agency had warned specifically about this vulnerability months earlier,” Cummings wrote to Committee Chairman Trey Gowdy, a Republican from South Carolina.
Cummings responded to the GAO report, “Now that we know even more about what led to the Equifax breach, it is critical that we develop serious and concrete proposals to help the American people-who repeatedly suffer the consequences of these devastating cyberattacks-and address the failures of those entrusted with securing their personal information.”
Warren and Sen. Mark Warner, a Democrat from Virginia, have sponsored a bill to hold credit reporting agencies like Equifax liable for data breaches. Under this legislation, Warren says Equifax would have paid at least $1.5 billion in penalties for the latest data breach.
Warren also raised concerns about a $7.2 million IRS contract awarded to Equifax despite the company’s recent massive breach. The IRS later issued a stop-work order to suspend Equifax’s performance under that short-term, sole-source contract. The GAO denied Equifax’s appeal on October 16, 2017 and IRS selected Experian EXPN, +0.43% for the taxpayer identity and verification services instead, according to the GAO report.