While the massive Marriott data breach is currently hogging the headlines, don’t forget about that other historic data breach–the one at Equifax that affected 148 million consumers. Turns out that hack was “entirely preventable,” and the credit bureau botched its handling of the mammoth incident afterward, according to a final House Oversight Committee report, first reported by Politico.
Hackers accessed Equifax’s database and compromised the credit card numbers, Social Security numbers, and birthdates of 143 million U.S. consumers–and an unspecified number of U.K. and Canadian customers, as well as the names and driver’s license info of some 2.4 million consumers. The breach was announced after a few company executives dumped their stock.
Now after a 14-month investigation, the House Oversight and Government Reform Committee has issued a scathing 96-page report saying the consumer credit reporting agency aggressively collected consumer data without taking the necessary steps to protect the trove of information. “Equifax… failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable,” the report says.
The report blames the breach on a series of failures, including “a culture of cybersecurity complacency,” outdated technology systems, and Equifax’s failure to patch a “known critical vulnerability.” The committee also noted the company’s failure to take appropriate measures to inform consumers about the breach and their options for protecting their data. Sen. Elizabeth Warren (D-Mass.) tried to warn Equifax that this wouldn’t end well for them. The report comes as the company still faces a variety of class-action lawsuits over the breach and the FTC is still side-eyeing the company after publicly confirming it is investigating the data breach.
Reached for comment, Equifax spokesman Jacob Hawkins offered the following statement:
“We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information. During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings. Equifax has worked in good faith for nearly 15 months with the Committee to be transparent, cooperative and shed light on our learnings from the incident in order to enrich the cybersecurity community. While we believe that factual errors serve to undermine the content of the report, we are generally supportive of many of the recommendations the Committee laid out for the government and private industry to better protect consumers, and have already made significant strides in many of these areas. Since the incident, Equifax has moved forward, taking meaningful steps to enhance our technology and security programs and will continue to focus on consumers, customers and regaining trust with all stakeholders.”