[BreachExchange] Equifax data breach was "entirely preventable, " congressional report finds

Destry Winant destry at riskbasedsecurity.com
Tue Dec 11 09:22:01 EST 2018


https://www.cbsnews.com/news/equifax-data-breach-was-entirely-preventable-congressional-report-finds/

A scathing new report finds one of the largest data breaches in U.S.
history was "entirely preventable." A 14-month congressional
investigation slammed credit rating agency Equifax for lacking
preventative measures in a data breach that exposed the personal
information of 148 million Americans last year.

According to the House report, hackers gained access to the Equifax
network in May of last year and attacked the company for 76 days.
Thieves stole sensitive information, including social security
numbers, from nearly half of U.S. adults and some lawmakers want
Equifax to pay.

Kellie Kraus' identity theft nightmare began just months after the
Equifax breach. She discovered 12 accounts were opened in her name by
people using her personal information to buy things like a car and
even charge an $868 veterinary bill for a pet she doesn't own.

"I couldn't figure out how this could have happened as careful as I am
with my information," Kraus said. "I pictured myself maybe not being
able to get loans in the future, having bad credit."

Republican Congressman Will Hurd serves on the House Oversight
Committee, which conducted the investigation.

"This breach could have been prevented if Equifax would have followed
some very basic things when it comes to good digital system hygiene,"
Hurd said.

The 96-page report says Equifax failed to modernize its technology,
failed to patch its systems when vulnerabilities were detected and
stored sensitive data on out-of-date and sub-par systems.

In a statement to CBS News, Equifax said, "During the few hours we
were given to conduct a preliminary review [of the House report] we
identified significant inaccuracies and disagree with many of the
factual findings." You can find Equifax's full statement at the bottom
of this article.

But consumer advocates like Mike Litt with the U.S. public interest
research group said the company should pay the price for harming
customers.

"It's really only when there are actually fines attached that we're
going to see the credit bureaus take our data security seriously,"
Litt said.

Rep. Hurd thinks Congress should develop a national breach standard
and consider penalizing companies for not following basic guidelines.

The committee made several recommendations to prevent future incidents
like the one at Equifax, including reducing the use of social security
numbers as personal identifiers.

To protect yourself freeze your credit, have secure passwords and be
sure to shred sensitive documents.

Equifax's full statement to CBS News:

"We are deeply disappointed that the Committee chose not to provide us
with adequate time to review and respond to a 100-page report
consisting of highly technical and important information. During the
few hours we were given to conduct a preliminary review we identified
significant inaccuracies and disagree with many of the factual
findings. Equifax has worked in good faith for nearly 15 months with
the Committee to be transparent, cooperative and shed light on our
learnings from the incident in order to enrich the cybersecurity
community. While we believe that factual errors serve to undermine the
content of the report, we are generally supportive of many of the
recommendations the Committee laid out for the government and private
industry to better protect consumers, and have already made
significant strides in many of these areas. Since the incident,
Equifax has moved forward, taking meaningful steps to enhance our
technology and security programs and will continue to focus on
consumers, customers and regaining trust with all stakeholders."


More information about the BreachExchange mailing list