Equifax data breach “entirely preventable”, report finds
The huge data breach that affected credit rating firm Equifax in 2017 and saw the personal details of up to 146 million people around the world – including 15 million in the UK – stolen by hackers was "entirely preventable" had the firm followed basic security procedures.
This is according to a new report into the incident released by the US government. The House of Representatives Oversight Committee laid out a litany of shortcomings and rejected Equifax's claim that the breach was the fault of a lone technician in the IT department who had failed to install a security patch.
Instead, the 96-page report pointed to systemic flaws in the company's security policies, including a lack of accountability and no clear lines of authority, which meant there was a large gap between the development of policies and their execution.
Equifax also left itself vulnerable by allowing more than 300 security certificates to expire, 79 of which were needed for monitoring business critical domains. This included one on the device observing network traffic, which had been inactive for 19 months as a result and meant the firm was unable to spot the data being exfiltrated.
The report also said that the company's aggressive business strategy and its focus on accumulating large quantities of data had resulted in a highly complex and hard to manage IT environment.
"Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging," it stated.
The company itself has disputed the report, saying it had "identified significant inaccuracies and disagrees with many of the factual findings".
However, the report could serve as a clear warning to other large businesses of what not to do when looking to ensure their data is secure. Its depiction of a system that was outdated, unwieldy and unmanaged may sound familiar to many other organisations, who may see it as an alarm bell that encourages them to upgrade their own solutions.
The Equifax hack also had severe financial and reputational consequences for the company. Earlier this year, the firm stated it expects total expenses related to the incident to hit $439 million (£348 million), making it the most costly breach in history.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.