A new report released Monday by the House Oversight and Government Reform Committee outlines the details of the 2017 Equifax data breach, and sets recommendations for future breaches in the private sector.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the report states. “Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”
The report details how Equifax’s growth “brought increasing complexity to Equifax’s IT systems, and expanded data security risks,” leading to more risk. However, the report calls the breach “entirely preventable.” The company failed to fully patch its systems when informed of a software vulnerability, allowing attackers to find unencrypted data 265 times. The committee called out the lack of accountability and authority within Equifax’s IT organization, and their complex IT system relying on a lot of legacy technology as the main points of failure. The report also called out poor response after disclosing the breach, noting that Equifax’s dedicated website and call centers were quickly overwhelmed.
In the report’s recommendations, the committee turned its attention towards future potential breaches, and how organizations should respond. The report recommends increased transparency from consumer reporting agencies (CRAs), a review of the effectiveness of credit monitoring services, and more transparency of private sector cybersecurity risks.
The report also points to increased Federal involvement in breaches as a recommendation, looking towards Federal contracts to set an example for the market.
“The Office of Management and Budget should continue efforts to develop a clear set of requirements for Federal contractors to address increasing cybersecurity risks, particularly as it relates to handling of PII. There should be a government-wide framework of cybersecurity and data security risk-based requirements,” the report notes.
The committee also recommended increasing regulatory powers at the Federal Trade Commission (FTC) to counter these types of breaches.
“Additional oversight authorities and enforcement tools may be needed to enable the FTC to effectively monitor CRA data security practices, both prior and subsequent to a breach occurring, and incentivize CRAs to adequately safeguard the consumer data they store,” the report states.
Finally, the report highlighted the importance of IT modernization.
“Equifax failed to modernize its IT environments in a timely manner,” the committee notes. “The Committee has emphasized the important security benefits of modernized IT solutions for Federal agencies. Private sector companies, especially those holding sensitive consumer data like Equifax, must prioritize investment in modernized tools and technologies.”