Senate Report: Equifax Accused of Failing to Prioritize Cybersecurity


Fully [H]
Apr 10, 2003
In a Senate report, Equifax is accused of neglecting its own cybersecurity policies which ultimately led to the 2017 data breach that exposed personally identifiable information (PII) of 145 million Americans . The company's key Senior Managers didn't attend cybersecurity meetings and an audit identified a backlog of over 8,500 known vulnerabilities in its network. Over 1,000 of these were considered critical, high, or medium risks that were found on systems that could be accessed by individuals from outside of Equifax's information technology ("IT") networks.

The company instituted an "honor system" for patching its systems and didn't abide by its own patching policy that required the company's IT department to patch critical vulnerabilities within 48 hours. Equifax wasn't even sure of the network assets that it owned, so it was impossible for Equifax to know if vulnerabilities existed on its networks. When threats were announced by the U.S. government with the highest critical score possible; the company's security scans failed to identify the vulnerability. This is because the company lacked a comprehensive inventory of its IT assets. Equifax also allowed its SSL certificates to expire 8 months prior to the 2017 data breach which allowed hackers access to the network for 78 days undetected. Equifax waited six weeks before notifying the public of the breach.

Equifax's online dispute portal, the hackers also accessed other Equifax databases as they searched for other systems containing PII. They eventually found a data repository that also contained unencrypted usernames and passwords that allowed the hackers to access additional Equifax databases. The information accessed primarily included names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license and credit card numbers.

The usernames and passwords the hackers found were saved on a file share by Equifax employees. Equifax told the Subcommittee that it decided to structure its networks this way due to its effort to support efficient business operations rather than security protocols. In addition, Equifax did not have basic tools in place to detect and identify changes to files, a protection which would have generated real-time alerts and detected the unauthorized changes the hackers were making.
Ahh the joys... this is one of those times you want to say let the turtles eat them starting at the toes... however that would be cruel and unusual punishment for the turtles.
effort to support efficient business operations rather than security

aka we didn't want to pay for it

Yeah and that kind of attitude shows a complete lack of understanding of how to do business in the modern world. Clearly they ignored risk assessments because they didnt want to impact the short term bottom line.
Death. Nothing short of widespread death to those responsible will send a message that this level of incompetence at this level of people's lives is unacceptable. I know our laws won't allow that to happen. We need far higher personal responsibility in business.
Unless they are going to use this info to put laws in place to stop this stuff from happening, it's all just a dog and pony show, and a waste of taxpayer dollars. They already let everyone off the hook, this report doesn't matter lol.
... We need far higher personal responsibility in business.

That I can get behind. Incorporating should not be an ironclad protection from personal responsibility. Executives and investors with large stakes should be held to some degree of accountability for their company's fuck-ups, which should potentially include decades of hard time.
Reasons I'll continue to have a job #12309182039807980895234
maybe they'll think twice about diversity hiring for their next CSO... and pick someone who maybe actually has interest in security.

Nah, it's over and they've moved on.

Diversity over skills every time. ;)

There is no reason a "diversity hire" cant also have mad skillz. The problem is they are usually hired just because of their race, gender, or sexual orientation. Thats a form of discrimination imo.
Why would any corporation care about securing your personal information? There are no consequences when the information is stolen other than providing more revenue to the credit monitoring corporations. The only ones that suffer from this stolen information are the people that have their identities stolen. These people are not the corporation's customers so why should the corporations care?
  • Like
Reactions: PaulP
like this
Funny how I haven't seen this is the national news yet. Meanwhile wet is water, water is what and Equi smells like something from the wrong end of a dog. Seriously, it's been almost a year and still they're not prosecuting the managers who sold before as if they didn't know what was wrong. Bad enough when tax payer dollars deal with an issue regarding any administration, trying to be respectful of soapbox rules, but this company should really be experiencing serious consequences for this. Is anyone tracking who owns stock or has affiliations with Equif in our government right now?

I do ask that anyone responding to this post be mindful of soapbox rules so we can keep this thread running.
I think it's time to start pushing legislation to eliminate white collar prisons. From now on, you get caught doing shit like this you go in with the pedos, rapists, and murderers. I guarantee you'll see an almost immediate drop in white collar crime after one of these execs get their shit pushed in.
Death. Nothing short of widespread death to those responsible will send a message that this level of incompetence at this level of people's lives is unacceptable. I know our laws won't allow that to happen. We need far higher personal responsibility in business.
Well, death of the corporation should be possible. (Don't think any other kind is needed though)
Someone, or multiple someones should have gone to jail over this. Our personal data should be treated just like money or anything else with great value, and if you don't protect it, you face jail time. That's the only way to solve this problem; there must be dire consequences for not securing our personal data that we are required to provide to them in order to function in our society.