Senate Investigation Shows Equifax Knew about Security Risks for Years
The Senate conducted a thorough investigation into the Equifax data breach that affected 145 million people. According to the report, “Equifax was aware of cybersecurity weaknesses for years” before the breach occurred in 2017.
In October 2015, Equifax conducted an audit of their patch management processes to assess cybersecurity vulnerabilities. Prior to that, the former CSO of Equifax says the had “no official corporate policy” for patching vulnerabilities on company systems, nor were there defined responsibilities for who was to govern over these matters.
The Senate found that as of August 2015, Equifax had a backlog of over 1,000 critical/high vulnerabilities on external systems and 7,500 critical/high vulnerabilities on internal systems. Nearly all of the internal issues (93%) were over 90 days old.
This data aligns with a similar report from the Committee on Oversight and Government Reform. After a 14-month investigation, the committee found the breach was “entirely preventable,” with over 300 expired security certificates and an overall “antiquated” IT system.
In a hearing the Homeland Security and Governmental Affairs Subcommittee held today, the CEO of Equifax, Mark Begor, discussed improvements the credit bureau has made since the breach. He said the company now has “multi-layers of defense,” including automated systems to address patches when they arise.