Equifax Inc.’s years-long failure to prioritize cybersecurity left the company vulnerable to a data breach that exposed more than 145 million Americans’ personal information, a Senate subcommittee said in a bipartisan staff report.
The report comes amid a series of high-profile data breaches involving Equifax and other companies that the Senate Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations will probe in a March 7 hearing. Equifax CEO Mark Begor is scheduled to testify.
Congress should enact legislation to establish “a national uniform standard requiring private entities that collect and store PII to take reasonable and appropriate steps to prevent cyberattacks and data breaches,” the report said, referring to personally identifiable information.
“Companies and government agencies, alike, must take steps to protect the data consumers entrust to them,” subcommittee chairman Rob Portman (R-Ohio) said in a statement. “And when that data is compromised, we deserve to know as soon as possible so we can make sure criminals are not taking advantage of us.”
According to the staff report, Equifax’s response to a cybersecurity vulnerability was “inadequate” and affected by the company’s inattention to cybersecurity.
“Equifax’s shortcomings are long-standing and reflect a broader culture of complacency toward cybersecurity preparedness,” the staff report said.
The company said it has made progress since the breach to strengthen its operations by hiring new technology officers and IT security professionals and increasing its technology and security spending by $1.25 billion between 2018 and 2020.
“Equifax has cooperated with the Subcommittee in its investigation and, while we do not agree with a number of findings and characterizations in the report, we remain committed to being transparent and cooperative, while sharing important learnings from the 2017 incident with the cybersecurity community,” Equifax spokesman Jacob Hawkins said in an email to Bloomberg Law.
Marriott International CEO Arne Sorenson will also face lawmakers at the hearing, in his first Capitol Hill appearance since the company disclosed a massive data breach involving its Starwood reservations database system in November 2018.
“Both private and public entities should feel a sense of urgency to bolster their cyber defenses, and these findings should finally galvanize Congress, along with the Administration, to formalize best practices for companies across this country and put in place nationwide standards in order to adequately protect consumers,” subcommittee ranking member Senator Tom Carper (D-Del.) said in a statement.
Equifax didn’t have a written policy on patching known vulnerabilities until 2015, according to the report. An internal audit that year found a backlog of vulnerabilities that hadn’t been patched and a lack of a complete inventory of the company’s IT assets, which limited its ability to know about network vulnerabilities, the report said. The patching issues remained before the 2017 breach, the report said.
“The Subcommittee also lacks a full understanding of the breach, as the company failed to preserve relevant messages sent over an internal messaging platform,” the report said.
Equifax’s two largest competitors, TransUnion LLC and Experian plc, took different actions to respond to the known Apache Struts vulnerability that led to the Equifax breach.
TransUnion and Experian “received the same information as the public and Equifax regarding the Apache Struts vulnerability, but the approach that each company took to cybersecurity was different from Equifax’s,” according to the report. The scope of subcommittee investigation included a review of the TransUnion and Experian steps.
Representatives from the Federal Trade Commission, the Government Accountability Office, and the nonprofit Center for Internet Security are scheduled to discuss how Congress could help prevent future cyberattacks on a second panel.
The report also uses the Equifax case to suggest that Congress enact a breach notification law and consider the need for more cybersecurity threat information sharing between companies and the government.
Lawmakers should pass legislation “requiring private entities that suffer a data breach to notify affected consumers, law enforcement, and the appropriate federal regulatory agency without unreasonable delay,” according to the report. All 50 states and District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted data breach notification laws that take various approaches to notification standards.