Equifax’s consumer data breach has been a slow-burning scandal. Monday’s report from the House Oversight Committee that determined the breach was “entirely preventable” is just the latest chapter in a series of revelations that expose a negligent company bent on growth and careless about its customers. Although Equifax is currently in the spotlight, its failure to take data security seriously is a clear lesson for other companies — and the government.
When Richard Smith became the CEO of Equifax in 2005, he had an aggressive plan to grow the company. Acquiring other firms brought more business, but it also brought new security needs and complexity. Equifax wasn’t up to the challenge, and the company’s failure to meet its cybersecurity needs eventually exposed nearly 150 million accounts including sensitive personal information.
Equifax had all that personal data including addresses, social security numbers, and even images of passports or driver’s licenses because, as a credit reporting agency, gathering that information is literally what the company does. Normally, that’s a good thing. The more data that companies that compile credit reports have, the more accurate information is available on your creditworthiness when you try to buy a house or open a new card, for example. The modern system of credit reporting has removed a great deal of uncertainty for lenders, and it eliminates or at least discourages the traditional methods of determining creditworthiness, such as flagrant racial discrimination.
But that same treasure trove of information that makes credit more widely available is also a good target for hackers — especially if security practices aren’t up to snuff.
Equifax, under the Smith’s leadership, was more interested in gaining data than keeping it safe, according to a detailed report. Not only did IT development lag behind growth, allowing 300 security certificates to expire, but patch management was left to an “honor system.”
As lawmakers explain, “Equifax … failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.”
The report also notes that “Equifax’s failure to patch a known critical vulnerability left its systems at risk for 145 days. The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data.”
Worse, once the company realized there had been a breach, it was ill-prepared for the fallout. The House report explains that call center employees hired to help victims were overwhelmed and lacked training. As if that wasn’t bad enough, some of those who called in were directed to a phishing website rather than the real site that informed consumers if they were victims, which also was plagued with issues.
For its part, Equifax issued a statement saying that the timing of the report did not give the company adequate time to review documents and that technical issues were misrepresented.
Despite that quibbling over the details, the warning is clear: Part of the deal with having access to data is keeping it safe. As companies and government agencies build networks and amass stockpiles of personal information, data security must keep pace.
