The U.S. General Accounting Office (GAO) today released a comprehensive report examining the reasons for the massive breach of personal information from Equifax one year ago today. The report covers the breach and both company and governmental actions in response since.
It breaks little new ground, but summarizes an array of errors inside the company, largely relating to a failure to use well-known security best practices and a lack of internal controls and routine security reviews.
Predictions following the breach were that regulators and consumer outrage would force major changes to the credit-reporting industry. Instead, almost nothing of substance has occurred since the unprecedented breach. Equifax’s stock took an initial hit, but it has largely recovered. It continued to receive large government contracts.
Consumer Union, publishers of Consumer Reports noted in an editorial on its site today, “Americans remain largely in the dark about the practices of the credit reporting industry—and, more generally, largely unable to control the use of their personal information. Equifax itself has suffered minimal consequences and continues to do business more or less as before.”
On Sept. 7, 2017, Equifax revealed that months-long illegitimate access to its credit-report databases had led to the breach of personally identifiable information of over 143 million people, nearly all in the U.S. The total number grew through March 2018 to over 148 million affected.
The company waited six weeks to disclose the breach.
Records varyingly included credit-card, driver’s license, and Social Security numbers, date of birth, phone numbers, and email addresses.
The GAO report confirms that a single Internet-facing web server with out-of-date software led to the breach, which went undetected for 76 days. Attackers made 9,000 queries that were unnoticed due to a failure to keep a network-data inspection system up to date. It hadn’t worked for 10 months before staff noticed. And attackers accessed a database that contained unencrypted credentials that they used to access other internal databases.
The company said today it has budgeted to spend an additional $200 million this year for security and technology, though it didn’t provide context for past or current spending. In a statement, Equifax said that it has made comprehensive changes.
Eight state banking regulators imposed a consent order on Equifax in June, requiring security improvement, auditing, and reporting. California passed a law earlier this year that forces disclosures about the collection of personal data, and imposes significant fines for data breaches—up to $750 per violation. It goes into effect Jan. 1, 2020.
Alabama and North Dakota passed laws forcing notification about reporting breaches with penalties for delays. In Alabama, a breach must be reported with 60 days or a company faces a fine of up to $10,000 per violation; in North Dakota, it’s 45 days and up to $5,000 each.
At the federal level, the president signed a bill in May that includes a free “credit freeze” and “thaws” at the three largest credit-reporting agencies: that’s TransUnion and Experian in addition to Equifax. The freeze prevents access to a credit file, which deters identity thieves from opening new accounts in someone’s name. Fees previously varied by state, and in ones in which a charge was allowed, it could be $5 to $10 per freeze or thaw for each credit bureau.
The law also lets consumers report potential credit fraud to one credit bureau, which is required to share it with the other two. The alert now lasts for a year, instead of a previous 90 days. With the alert in effect, the bureau must take additional steps to verify an identity.
Two criminal charges have been levied, and those for insider trader against the company’s former chief information officer, Jun Ying, and against a company software developer for allegedly selling stock while knowing of the breach before it was made public.
The Consumer Financial Protection Bureau, an agency created in part to protect consumer data, received over 20,000 complaints related to the breach as of April 2018. However, the CFPB has been gutted rendered toothless under the Trump administration. (The CFPB is now officially known as the BCFP: same words, different order.) It took no enforcement action against Equifax. The Federal Trade Commission also has oversight, and has made no movements either.
Sen. Elizabeth Warren co-sponsored a bill with Mark Warner in January that would give the FTC more direct supervisory power over credit-reporting agencies like Equifax, and impose the ability to levy fines. Those fines would have amounted to $1.5 billion in the case of this breach. That’s significant relative to revenue and profit: Equifax took in $877 million in its most recent quarter, and earned $145 million on that.
In a comedy of blame following the breach, Equifax sent the CEO at the time of the breach, Richard Smith, to testify before Congress starting Oct. 3, 2017. In his first of four separate hearings, Smith repeatedly blamed the breach on a single employee who failed to update software on one server. No other company officials testified.
During that hearing, Warren said, “At best you are incompetent; at worst you were complicit. Either way, you should be fired.” Smith had already resigned the previous week, and was joined soon after by the company’s chief information and chief security officers.
By not firing Smith, however, the board allowed the CEO to retain over $90 million in compensation scheduled to paid out in 2017 and in subsequent years from salary, stock options, and other benefits. He had to give up a potential $3 million bonus for 2017. Had he been fired, he may have been forced to forego a large portion of that stock and cash.
Four U.S. congresspeople commissioned the GAO report: senators Elizabeth Warren and Ron Wyden, and representatives Elijah Cummings and Trey Gowdy. Gowdy was the only Republican, and he retires from Congress after this session. Warren’s legal research and advocacy led to the creation of the Consumer Financial Protection Bureau in 2011. She was passed over to lead the bureau, but won election to the Senate in 2013.