The Senate Homeland Security and Governmental Affairs Committee’s Permanent Subcommittee on Investigations on Wednesday night (6 March) released its conclusions from a probe into the 2017 incident and said Equifax failed to take basic steps to protect its security system from vulnerabilities.

“Based on this investigation, the Subcommittee concludes that Equifax’s response to the March 2017 cybersecurity vulnerability that facilitated the breach was inadequate and hampered by Equifax’s neglect of cybersecurity,” the panel wrote in its report. “Equifax’s shortcomings are long-standing and reflect a broader culture of complacency toward cybersecurity preparedness.”

According to the Senate report, an internal Equifax audit discovered software measures were “not adequately designed to ensure Equifax systems are securely configured and patched in a timely manner.” The audit found that more than 8,500 vulnerabilities had gone unaddressed for around 90 days.

The data breach in 2017 had exploited a vulnerability in programming software called Apache Struts. And despite wide reports that information could be exploited, the Senate report claims that Equifax failed to patch this vulnerability.

“Without the patch, individuals with basic computer skills — not just skilled hackers — could follow published instructions and exploit the vulnerability,” the authors say.

The report was released the night before Equifax CEO Mark Begor, who joined the company after the data breach, testified before the subcommittee. He apologised to the panel for the incident but took issue with the report’s findings.

“The fact that Equifax suffered a data breach does not mean the company did not have a data security programme or failed to take cybersecurity seriously,” Begor defended.

On the morning of 7 March, Equifax representatives were joined by executives from Marriott, where both companies testified before the Permanent Subcommittee on Investigations (PSI) about their respective data breaches, with Marriott saying a breach in November 2018 exposed the personal information of up to 500 million people.

Senators Rob Portman and Tom Carper, who led the PSI, says hackers had access to consumers’ personal information for nearly four months before Equifax told the public, with its coinciding report claiming the damage done by hackers might have been avoided if Equifax had prioritised “widely agreed upon” cybersecurity protocols.

Carper commented: “I was surprised that a company such as Equifax, who has so much sensitive data on so many people in this country, was so ill-prepared to anticipate a cyber-attack and to be able to thwart it.”

Portman said: “Companies and government agencies alike must take steps to protect the data consumers entrust to them. And when that data is compromised, we deserve to know as soon as possible so we can do everything we can to ensure criminals are not taking advantage of us.

“I look forward to working with Senator Carper on legislation to ensure both the protection of consumer data and prompt notification when data is compromised,” he added.

Equifax announced the breach on 7 September 2017 — six weeks after it first discovered the incident. Multiple federal agencies launched an investigation into the company’s handling of the breach, but no enforcement actions have been taken.

The Senate Homeland Security and Governmental Affairs Committee’s Permanent Subcommittee on Investigations on Wednesday night (6 March) released its conclusions from a probe into the 2017 incident and said Equifax failed to take basic steps to protect its security system from vulnerabilities.

“Based on this investigation, the Subcommittee concludes that Equifax’s response to the March 2017 cybersecurity vulnerability that facilitated the breach was inadequate and hampered by Equifax’s neglect of cybersecurity,” the panel wrote in its report. “Equifax’s shortcomings are long-standing and reflect a broader culture of complacency toward cybersecurity preparedness.”

According to the Senate report, an internal Equifax audit discovered software measures were “not adequately designed to ensure Equifax systems are securely configured and patched in a timely manner.” The audit found that more than 8,500 vulnerabilities had gone unaddressed for around 90 days.

The data breach in 2017 had exploited a vulnerability in programming software called Apache Struts. And despite wide reports that information could be exploited, the Senate report claims that Equifax failed to patch this vulnerability.

“Without the patch, individuals with basic computer skills — not just skilled hackers — could follow published instructions and exploit the vulnerability,” the authors say.

The report was released the night before Equifax CEO Mark Begor, who joined the company after the data breach, testified before the subcommittee. He apologised to the panel for the incident but took issue with the report’s findings.

“The fact that Equifax suffered a data breach does not mean the company did not have a data security programme or failed to take cybersecurity seriously,” Begor defended.

On the morning of 7 March, Equifax representatives were joined by executives from Marriott, where both companies testified before the Permanent Subcommittee on Investigations (PSI) about their respective data breaches, with Marriott saying a breach in November 2018 exposed the personal information of up to 500 million people.

Senators Rob Portman and Tom Carper, who led the PSI, says hackers had access to consumers’ personal information for nearly four months before Equifax told the public, with its coinciding report claiming the damage done by hackers might have been avoided if Equifax had prioritised “widely agreed upon” cybersecurity protocols.

Carper commented: “I was surprised that a company such as Equifax, who has so much sensitive data on so many people in this country, was so ill-prepared to anticipate a cyber-attack and to be able to thwart it.”

Portman said: “Companies and government agencies alike must take steps to protect the data consumers entrust to them. And when that data is compromised, we deserve to know as soon as possible so we can do everything we can to ensure criminals are not taking advantage of us.

“I look forward to working with Senator Carper on legislation to ensure both the protection of consumer data and prompt notification when data is compromised,” he added.

Equifax announced the breach on 7 September 2017 — six weeks after it first discovered the incident. Multiple federal agencies launched an investigation into the company’s handling of the breach, but no enforcement actions have been taken.