The Committee on Homeland Security and Governmental Affairs of the Permanent Subcommittee on Investigations of the US Senate has published a report entitled, “How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach.” The Committee analyzed the breach reported by Equifax in September 2017, and efforts on the part of the other two major Consumer Reporting Agencies (CRAs) to respond to the vulnerability that led to the Equifax breach. The Committee found that Equifax:
- could not follow its own policies, established after a 2015 audit, for patching vulnerabilities;
- failed to include the relevant software developer in emails about the “Apache Struts” vulnerability and hence failed to locate and correct the problem;
- failed to take the steps necessary to identify incoming malicious traffic;
- could have, but did not, minimize the damage done by the intrusion because it structured its networks to support efficient business operations rather than security protocols;
- waited six weeks after learning of the breach — and nearly four months after it occurred — to make a public disclosure about it; and
- failed to preserve key internal communications that could have assisted the investigation of the breach.
The Committee found that the other two major CRAs took appropriate and timely action to patch the vulnerability that caused the Equifax breach.