Equifax data breach was "entirely preventable," congressional report finds
A scathing new report finds one of the largest data breaches in U.S. history was "entirely preventable." A 14-month congressional investigation slammed credit rating agency Equifax for lacking preventative measures in a data breach that exposed the personal information of 148 million Americans last year.
According to the House report, hackers gained access to the Equifax network in May of last year and attacked the company for 76 days. Thieves stole sensitive information, including social security numbers, from nearly half of U.S. adults and some lawmakers want Equifax to pay.
Kellie Kraus' identity theft nightmare began just months after the Equifax breach. She discovered 12 accounts were opened in her name by people using her personal information to buy things like a car and even charge an $868 veterinary bill for a pet she doesn't own.
"I couldn't figure out how this could have happened as careful as I am with my information," Kraus said. "I pictured myself maybe not being able to get loans in the future, having bad credit."
Republican Congressman Will Hurd serves on the House Oversight Committee, which conducted the investigation.
"This breach could have been prevented if Equifax would have followed some very basic things when it comes to good digital system hygiene," Hurd said.
The 96-page report says Equifax failed to modernize its technology, failed to patch its systems when vulnerabilities were detected and stored sensitive data on out-of-date and sub-par systems.
In a statement to CBS News, Equifax said, "During the few hours we were given to conduct a preliminary review [of the House report] we identified significant inaccuracies and disagree with many of the factual findings." You can find Equifax's full statement at the bottom of this article.
But consumer advocates like Mike Litt with the U.S. public interest research group said the company should pay the price for harming customers.
"It's really only when there are actually fines attached that we're going to see the credit bureaus take our data security seriously," Litt said.
Rep. Hurd thinks Congress should develop a national breach standard and consider penalizing companies for not following basic guidelines.
The committee made several recommendations to prevent future incidents like the one at Equifax, including reducing the use of social security numbers as personal identifiers.
To protect yourself freeze your credit, have secure passwords and be sure to shred sensitive documents.
Equifax's full statement to CBS News:
"We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information. During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings. Equifax has worked in good faith for nearly 15 months with the Committee to be transparent, cooperative and shed light on our learnings from the incident in order to enrich the cybersecurity community. While we believe that factual errors serve to undermine the content of the report, we are generally supportive of many of the recommendations the Committee laid out for the government and private industry to better protect consumers, and have already made significant strides in many of these areas. Since the incident, Equifax has moved forward, taking meaningful steps to enhance our technology and security programs and will continue to focus on consumers, customers and regaining trust with all stakeholders."