The U.S. House of Representatives Committee on Oversight and Government Reform said Equifax Inc.'s data breach was "entirely preventable," adding that the credit agency failed to implement an adequate security program to protect its sensitive data.
The breach was estimated to impact 146.6 million U.S. customers.
Specifically, the credit agency failed to fully patch a vulnerability in Apache Struts, a software within Equifax's Automated Consumer Interview System, according to the Committee's staff report. Homeland Security on March 8, 2017, alerted Equifax on said vulnerability, which had been publicly disclosed the day before.
On May 13, 2017, attackers began their 76-day cyberattack on Equifax. They were able to access 48 unrelated databases, locate personally identifiable information data and transfer data out of Equifax.
Equifax noticed suspicious web traffic after updating the expired security certificate July 29, 2017. The following day, it identified several code vulnerabilities and noticed suspicious traffic from a German internet service provider-owned IP address that was leased to a Chinese provider. The cyberattack concluded when Equifax took its Automated Consumer Interview System offline.
The report also noted that there are gaps in Equifax's IT policy development and operation, and its "aggressive growth strategy and accumulation of data" resulted in a complex IT environment.