The huge data breach that affected credit rating firm Equifax in 2017 and saw the personal details of up to 146 million people around the world – including 15 million in the UK – stolen by hackers was "entirely preventable" had the firm followed basic security procedures.
This is according to a new report into the incident released by the US government. The House of Representatives Oversight Committee laid out a litany of shortcomings and rejected Equifax's claim that the breach was the fault of a lone technician in the IT department who had failed to install a security patch.
Instead, the 96-page report pointed to systemic flaws in the company's security policies, including a lack of accountability and no clear lines of authority, which meant there was a large gap between the development of policies and their execution.
Equifax also left itself vulnerable by allowing more than 300 security certificates to expire, 79 of which were needed for monitoring business critical domains. This included one on the device observing network traffic, which had been inactive for 19 months as a result and meant the firm was unable to spot the data being exfiltrated.
The report also said that the company's aggressive business strategy and its focus on accumulating large quantities of data had resulted in a highly complex and hard to manage IT environment.
"Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging," it stated.
The company itself has disputed the report, saying it had "identified significant inaccuracies and disagrees with many of the factual findings".
However, the report could serve as a clear warning to other large businesses of what not to do when looking to ensure their data is secure. Its depiction of a system that was outdated, unwieldy and unmanaged may sound familiar to many other organisations, who may see it as an alarm bell that encourages them to upgrade their own solutions.
The Equifax hack also had severe financial and reputational consequences for the company. Earlier this year, the firm stated it expects total expenses related to the incident to hit $439 million (£348 million), making it the most costly breach in history.