“Equifax…failed to implement an adequate security program to protect this sensitive data…Such a breach was entirely preventable.” So concludes the December 2018 report on “The Equifax Data Breach” by the U.S. House of Representatives Committee on Oversight and Government Reform.
The cause, according to the report, was Equifax’s “acquisition strategy [to benefit] bottom line and stock price,” which “growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks.” Risks, it seems, Equifax did not manage. In 2017, the Department of Homeland Security alerted Equifax to a critical vulnerability in Apache Struts software; “Equifax, however, did not fully patch its systems.” The result — a 76-day attack including 9,000 queries on 48 vulnerable databases, which located unencrypted personally identifiable information 265 times. The device used to monitor network traffic “had been inactive for 19 months due to an expired security certificate.”
Two fundamental failures resulted in this breach affecting 148 million people — nearly half of the U.S. population and 56 percent of American adults. First, Equifax’s IT management was unstructured, lacked accountability, and suffered from an “execution gap” between policy and implementation. It was, in a word, dysfunctional. Second, the “aggressive growth strategy and accumulation of data resulted in a complex IT environment,” which the IT management was unprepared to handle.
So, how does the Committee on Oversight and Government Reform have jurisdiction in this area? Because the Committee oversees the Federal Trade Commission (FTC), Government Accounting Office (GAO), Securities and Exchange Commission (SEC), and Office of Management and Budget (OMB). The report, in its conclusions, looked beyond Equifax, one of the largest credit reporting agencies (CRA), to take aim at the entire industry’s attitude toward personal data:
CRAs gather consumer data, analyze it to create credit scores and detailed reports, and then sell the reports to third parties. Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt out of this information collection process. Though CRAs provide a service in facilitating information sharing for financial transactions, they do so by amassing large amounts of sensitive personal data — a high-value target for cyber criminals. Consequently, CRAs have a heightened responsibility to protect consumer data by providing best-in-class data security.
The report concludes that four federal agencies can take additional steps to protect consumers and citizens:
1.) The FTC can “hold business accountable for making false or misleading claims about their data security or failing to employ reasonable security measures,” however, additional oversight authorities and enforcement tools “may be needed to enable the FTC to effectively monitor CRA data security practices.”
2.) The GAO, an investigative entity, should examine the effectiveness of current identity monitoring and protection services, and provide recommendations to Congress.
3.) The SEC “should continue to encourage the public disclosure of cyber risks to increase awareness of a company’s cybersecurity posture,” in line with the SEC’s 2011 guidance to assist companies in disclosing cybersecurity risks and incidents.
4.) The OMB “should continue efforts to develop a clear set of requirements for federal contractors to address increasing cybersecurity risks…There should be a government-wide framework of cybersecurity and data security risk-based requirements.”
With a new Congress returning to Washington in January, and with a growing recognition that consumers lack any power to control the use of their personal data, many believe 2019 will bring with it a federal privacy statute. For now, it seems the FTC’s enforcement authority is the de facto federal agency responsible for managing cyber risks to the American public.
A copy of the Report is available here.