Equifax slammed by Senate subcommittee for lax cybersecurity

Equifax found guilty in cybersecurity issues

In today’s political climate, it seems like Congress can’t agree on any issue. However, a Senate subcommittee recently released a report proving Democrats and Republicans found consensus on one critical topic: cybersecurity. Specifically, politicians from America’s two largest political parties concurred that Equifax has some responsibility for the devastating data breach it suffered in 2017.

The Permanent Subcommittee on Investigations’ (PSI) refreshingly bipartisan report is on the Equifax breach that exposed the personal information of 145 million Americans. The government found the analytics company was far too lax with its cybersecurity. And that finding could have major implications for U.S. businesses in every industry.

What the Government Thinks Equifax Did Wrong

The report explained the breach happened in part because Equifax did not update an application that monitors malicious web traffic after it expired in 2016. Hackers infiltrated the company’s network but weren’t noticed for more than two months.

Manage your supply chain from home with Sourcengine

The PSI also slammed Equifax for not maintaining a proper inventory of its information technology (IT) assets. For example, the Department of Homeland Security warned the company about a critical vulnerability in its web application framework. Equifax did run scans for the vulnerability. Sadly, the firm’s lack of a complete IT inventory led to the security weakness going unpatched.

The report also contained the jaw-dropping revelation that Equifax apparently did not have a written policy regarding vulnerability patching until 2015.

Worse Than the Competition?

The subcommittee argues Equifax was negligent in not maintaining better cybersecurity practices. But should the government chastise a corporation for its victimization? After all, the company certainly didn’t want to have its network infiltrated and its data exposed. Moreover, cybercrime is so sophisticated now that it’s difficult for large organizations of any type to remain secure, including the U.S. government.

However, the subcommittee argues that Equifax’s cybersecurity practices were below industry standard. The data breach report supports this allegation by comparing the company’s actions to that of its two biggest competitors. Transunion and Experian also learned about the web application framework vulnerability. As opposed to Equifax, those companies quickly identified and patched the problem.

Unsurprisingly, Equifax does not agree with the PSI’s findings. The corporation issued a statement contending that it cooperated fully with the subcommittee’s investigation and that the report’s finding that the company was negligent is inaccurate. The company also noted that since the breach, it has hired almost 1,000 IT employees and will spend $1.25 billion on cybersecurity between 2018 and 2020.

Possible Changes to U.S. Cybersecurity Law

The PSI also slammed Equifax for its response to the data breach. Its report states that the company did not keep records of internal correspondence regarding the hack. This is notable because the company did not publicly disclose the hack until nearly four months after it occurred.

The subcommittee wants to ensure another notification delay like that never happens again. Accordingly, the report recommends that Congress come together to pass new legislation regarding data breaches. It calls for federal cybersecurity best practices for businesses and government agencies, and a mandate that forces them to make data breach disclosures “without reasonable delay.”

Congress will likely have a great deal of public support for that last point. One survey found that most Americans were more worried about the Equifax breach than Facebook’s Cambridge Analytica scandal. And as 15 million people living in the U.S. had their identity stolen in 2017, that concern is well warranted.

Accordingly, conscientious companies of all sizes should make cybersecurity a core priority.