X

Congressional committee slams Equifax in report on data breach

Equifax says the report contains inaccuracies.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
See full bio
Laura Hautala
2 min read
security-privacy-hackers-locks-key-6778
James Martin/CNET

Equifax didn't take steps to prevent a massive data breach in 2017 that allowed hackers to steal the personal information of 147.7 million Americans from its servers. It wasn't ready to handle the aftermath, either. 

That's the takeaway from a House Oversight Committee report (PDF), released Monday, which calls the breach "entirely preventable."

The 96-page report said Equifax lacked clear lines of authority in its IT department, which meant important security measures weren't put in place when they should have been. What's more, the company's collection of sensitive consumer information was spread out among out-of-date, custom-built systems, the report said. 

Finally, the committee was especially critical of Equifax's former CEO Richard Smith. According to the report, Smith led a strategy of acquiring businesses that collect consumer data and amassing a huge trove of data without implementing a solid strategy to secure it. 

Watch this: Worst hacks of the year

"While the acquisition strategy was successful for Equifax's bottom line and stock price, this growth brought increasing complexity to Equifax's IT systems, and expanded data security risks," the report said.

Equifax said it takes issue with many aspects of the report. In its review, the company said it "identified significant inaccuracies and disagree with many of the factual findings." It also complained that it didn't have adequate time to review the entirety of the report.

Here is Equifax's statement in full:

"We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information. During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings. This is unfortunate and undermines our hope to assist the Committee in producing a credible and thorough public resource for those who wish to learn from our experience managing the 2017 cybersecurity incident. Equifax has worked in good faith for nearly 15 months with the Committee to be transparent, cooperative and shed light on our learnings from the incident in order to enrich the entire cybersecurity community. Since the incident, Equifax has moved forward, taking meaningful steps to enhance our technology and security programs and will continue to focus on consumers, customers and regaining trust with all stakeholders."

The Honeymoon Is Over: Everything you need to know about why tech is under Washington's microscope.

Infowars and Silicon Valley: Everything you need to know about the tech industry's free speech debate.