Investigation Shows Equifax Data Breach Was ‘Entirely Preventable’
After a 14-month investigation, the Committee on Oversight and Government Reform has determined that the Equifax data breach of 2017 was “entirely preventable.” The Committee analyzed more than 122,000 documents and deemed that Equifax could have avoided the breach with proper cybersecurity protocol.
The incident was originally thought to have affected 143 million American adults, but that number grew to 148 million after the investigation. The hackers collected names, Social Security Numbers, addresses and birth dates, as well as some credit card numbers and driver’s license information. In February 2018, the investigation revealed that email addresses, credit card expiration dates, tax IDs and phone numbers may have been compromised.
The Committee determined that Equifax’s IT system was “complex” and “antiquated,” which created security risks. They also said Equifax did not have clear authority figures for internal IT management, so the company was unable to resolve the issue in a timely manner.
Moreover, Equifax had over 300 expired security certificates, some which were more than 19 months past their renewal dates. The Committee said Equifax did not have the proper support in place to assist affected customers after the breach, which prevented consumers from accessing information that could safeguard their identities.
In the Committee’s full report, they provide a list of recommendations for Equifax. These include: being transparent about data they collect, determining how long identity monitoring is necessary after a breach, and having the federal government play a more active role in monitoring cybersecurity risks.