A new report from the U.S. General Accounting Office examines the causes of the massive 2017 data breach by Equifax that compromised the personal data of more than 148 million Americans. The report contributes the debacle to the company’s failure to use common cybersecurity best practices, poor internal controls, and the lack of routine security reviews.
In September 2017, Equifax disclosed that months-long access by hackers to its credit-report databases had led to the breach of the personal information, including social security numbers and email addresses, of over 143 million Americans, which grew through March 2018 to over 148 million affected. The company also waited six weeks to disclose the breach.
According to the GAO report, “Equifax determined that several major factors had facilitated the attackers’ ability to successfully gain access to its network and extract information from databases containing PII [personally identifiable information]” and that “key factors that led to the breach were in the areas of identification, detection, segmentation, and data governance.”
Politicians on both sides of the aisle have been critical of Equifax’s practices and it’s response to the breach. “This breach and the response by Equifax illustrate the need for federal legislation that establishes appropriate fines for credit reporting agencies that allow serious cybersecurity breaches on their watches and empowers the Federal Trade Commission to establish basic standards to ensure that credit reporting agencies are adequately protecting consumer data,” said Senator Elizabeth Warren (D-MA) in a prior report.
Other organizations have also criticized Equifax’s response to the major breach, insisting that the consumer reporting agency still hasn’t done enough to take remedial steps and compensate those who were affected by the breach. Consumer Union, for example, the organization that publishes consumer reports, issued a particularly biting assessment of Equifax’s actions in a recent editorial. “Americans remain largely in the dark about the practices of the credit reporting industry—and, more generally, largely unable to control the use of their personal information. Equifax itself has suffered minimal consequences and continues to do business more or less as before,” it wrote.
Since the Equifax breach, some states, including Alabama and North Dakota have passed new laws on the notification of consumers about a data breach. California has passed a set of comprehensive data privacy laws that are among the strictest in the nation. 