Time and again, Equifax disregarded warning signs of security vulnerabilities in its IT network, displaying a clear sign of “negligence,” before and after the 2017 data breach, concluded a report by a US Senate subcommittee on Homeland Security and Governmental Affairs.
The “negligence” of the credit rating monitor, one of the top three in the business, eventually led to the compromise of personal details of over 145 million Americans. To prevent a repeat of such security dysfunction and incompetence, the committee urges Congress to review cybersecurity policies and procedures.
“Pass legislation that establishes a national uniform standard requiring private entities that collect and store PII [personally identifiable information] to take reasonable and appropriate steps to prevent cyber-attacks and data breaches” and require “private entities that suffer a data breach to notify affected consumers, law enforcement, and the appropriate federal regulatory agency without unreasonable delay” are among the top suggestions.
Equifax is not the only entity to fall victim to such a major data breach. In the past 10 years, companies such as Uber, Yahoo!, Anthem and Target also struggled with financial and reputational damage following cyberattacks. Some of them learned from their mistakes but, according to the investigative report, Equifax didn’t.
The company didn’t patch critical vulnerabilities “in a timely manner” and it used an expired SSL certificate. Security team members displayed a complete lack of communication and, worse, they knowingly operated on vulnerable systems and insecure networks in 2015.
“Equifax’s system for vulnerability scanning was a global process that was disconnected from the company’s regional patch management process,” the study stated. “Equifax’s former Director of the global threats and vulnerability management team told Subcommittee staff that in some cases, patching was regional, and some cases it was global.”
Mark Begor, the new CEO of Equifax, was called before the Senate to testify. He defended the company, saying that cybersecurity is important, yet the measures taken were not “impenetrable,” writes CNBC.
“The fact that Equifax did not have an impenetrable information security program and suffered a breach does not mean that the company failed to take cybersecurity seriously,” Begor said. “Before the cyberattack, I understand that the [Equifax’s] security program was well-funded and -staffed, based on a robust set of policies, standards, and procedures, and supported by general and specialized training.”
Senators also berated Marriott for its data breach, which exposed personal information of 500 million guests, one of the largest so far. However, they only partly blamed the hotelier.
“The data breach announced by Marriott this past November does not appear to have been caused by the same cultural indifference to cybersecurity the record indicates existed at Equifax, rather, it looks like Marriott inherited this breach from Starwood,” said Sen. Tom Carper, D-Del.