Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Government Security United States Politics Technology

House Panel Issues Scathing Report On 'Entirely Preventable' Equifax Data Breach (thehill.com) 75

An anonymous reader quotes a report from The Hill: The Equifax data breach, one of the largest in U.S. history, was "entirely preventable," according to a new House committee investigation. The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information. "In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data," according to the 96-page report authored by Republicans. "Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."

The report blames the breach on a series of failures on the part of the company, including a culture of complacency, the lack of a clear IT management operations structure, outdated technology systems and a lack of preparedness to support affected consumers. "A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the personal information of approximately 148 million individuals," the committee staff wrote. "Equifax's failure to patch a known critical vulnerability left its systems at risk for 145 days. The company's failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed the attackers to access and remove large amounts of data." The Oversight staff found that the company not only lacked a clear management structure within its IT operations, which hindered it from addressing security matters in a timely manner, but it also was unprepared to identify and notify consumers affected by the breach. The report said the company could have detected the activity but did not have "file integrity monitoring enabled" on this system, known as ACIS, at the time of the attack.

This discussion has been archived. No new comments can be posted.

House Panel Issues Scathing Report On 'Entirely Preventable' Equifax Data Breach

Comments Filter:
  • Oh wow (Score:5, Interesting)

    by 110010001000 ( 697113 ) on Monday December 10, 2018 @05:40PM (#57782882) Homepage Journal
    A scathing report? That will show them!
    • Is that harsher than a firmly written letter? How does it compare to being brutally frank?

      • It is a very firm and clear message being sent, that they must answer to: all calls from Congressional re-election PACs asking for donations.

    • by Anonymous Coward

      Applying a corproate death penalty would be an excellent way to fix this problem. Nothing would be lost since there are other credit bureaus, and it's a function that's easy to replicate.

    • by ron_ivi ( 607351 )
      And it's missing the big picture.

      The bigger problem is that Equifax themselves has the data.

      Who cares if some small-scale spammer got their hands on the leaked data? They don't have the skills, resources, or knowledge of how to abuse it.

      The fact that the huge data mining companies like Equifax, Facebook, and Google are building such databases is far more concerning from a privacy point of view.

    • by gweihir ( 88907 )

      Indeed. What needs to happen in cases of negligence like this that could not really get any more gross (considering what was to be protected) is that the CEO and the CISO go to prison for a few years. In addition, anybody that has their data stolen should, say, get $500 just by asking for it and the full damage including legal costs if they did suffer more.

      Before we have serious consequence for such extreme screw-ups, nothing is going to change.

    • A scathing report? That will show them!

      Ye!
      In meantime all they income indicators for 2017 are green and seems like "one of the largest in U.S. history" data breach does not even deserve congress hearings.

  • Ooh, a scathing report!!! On the punishment severity scale that must be somewhere between a slap on the wrist and taking away some of their Schrute bucks.
  • by Dunbal ( 464142 ) * on Monday December 10, 2018 @05:46PM (#57782916)
    And they thought _strrev() was a secure way to encrypt the user passwords. I guess this time they will switch to ROT13. Twice, for extra security!
  • great, now... (Score:5, Insightful)

    by argStyopa ( 232550 ) on Monday December 10, 2018 @05:48PM (#57782920) Journal

    ...let's stop the Federal government 'picking winners' entirely, and see a report about the 'entirely preventable' 2007-2008 credit crash where the Congress-selected private firms that provided bond ratings simply didn't do the one thing they were tasked to do: objectively appraise and rate bundled funds as to riskiness?

    I think suing those firms into oblivion, jailing their entire management team for fraud, and then NOT picking ANY private firms as "official" successors designated by the Federal Government will remind the marketplace that information too has value and the lack of any official designation means that investors will have to manage their OWN risk.

    • let's stop the Federal government 'picking winners' entirely

      Well, since the voters can't be bothered, how do you propose we do it?

      • Accept the consequences of our choices as a society until voters can be bothered. Unless you're going to carry the torch on this topic to get the voters to care a little bit sooner or overthrow the government and try to fix things, there really isn't a lot left to do about it.
    • What Congress-selected firms? There are three firms that control 95%, but there are several other competitors.

  • by Comrade Ogilvy ( 1719488 ) on Monday December 10, 2018 @05:59PM (#57782998)

    Equifax is part of a sector of the financial industry that makes some tidy profit monetizing fear of the incompetence of the financial industry. It is not exactly surprising they could not wrap their heads around how competent they needed to be to not get caught. But then again, having been caught being incompetent, how much do they care?

  • but is anyone going to actually change how they vote based on this? If not, then all that outrage is exactly as effective as this report...
    • Yeah, next time I am voting for the other guy instead of that guy.
      • there were a ton of left wing candidates who accept no corporate PAC money that tried to primary the right wing "Clinton" Democrats. Most of them lost but a few (notably Alexandria Ocasio-Cortez who took out the "young" 55 year old replacement for Nancy Pelosi).

        The real power in American politics is in primary elections. By the time it gets to the general it's too late. But that doesn't mean you can't vote in your primary.
    • but is anyone going to actually change how they vote based on this?

      They had their chance last month... And in spite of it all... the GOP/DNC remains firmly entrenched for another two years. And you're right, the outrage is comedic, and a bit tragic...

    • Ballot initiatives were somewhat successful in bringing in some nice electoral changes, mostly with regard to district drawing, in certain states.

      Similar initiatives could be used to end First-Past-The-Post (I think Maine voted for the first time using instant runoff in this election), which would remove the spoiler effect and make third parties viable.

      As long as FPTP prevails, the 2-party system will remain. It's not just about who people vote for, but the choices they have. Bernie Sanders is an Independen

  • by Streetlight ( 1102081 ) on Monday December 10, 2018 @06:26PM (#57783146) Journal
    Right. One question (of many) I have is why are they still in business? Why weren't put out of business? There'd still be two credit bureaus out there. I'm not sure who regulates this kind of operation but they sure weren't and haven't been doing their job.
  • Don't be silly. Corporations in America are never held to account for screwing people over.

    • Don't be silly. Corporations in America are never held to account for screwing people over.

      Unless it's The Rich who got ass-raped, in which case Heads Will Roll over it. But you, me, and all the other plebs? We're irrelevant, you're right.

  • OK, so the Congress that had both Dem and GOP email systems hacked, the house employing crooks to do IT support, the Obama administration which was in power and running things had the OPM hack happened. is going to ridiculed Equifax, granted Equifax screwed up, but this is just to Rich for me.

    Just my 2 cents ;)
  • Just like GMO crops, the data lost in the Equifax breach is already long-since in the wind, and no amount of barn-door-closing-after-the-horse-is-gone will reverse that. The data likely has been copied and sold dozens of times already, and nothing short of crashing the Moon into the Earth, destroying everything and everyone, could possibly ever erradicate all the copies, or find all the people responsible and all the people who had access to it. It may as well been uploaded to USENET, for fuck's sake. There
  • At what point do we just go ahead and say "everybody?" 148M = basically everybody in the US with credit history. Let's fix this news headline ... "Equifax screws EVERBODY"

You know you've landed gear-up when it takes full power to taxi.

Working...