Congress clearly didn't buy Equifax's attempt to pin its massive data breach on one lone technician. The House Oversight and Government Reform Committee has released a staff report declaring that the breach was "entirely preventable" and the result of widespread, systemic flaws in Equifax's security policies. The company didn't have "clear lines of authority" in its IT structure that would have properly enacted policies, for one thing. It also had "complex and outdated" systems that didn't keep pace with its growth, wasn't prepared to help victims and made basic security missteps. Equifax let more than 300 security certificates expire, for example, making it difficult to spot intrusions.
The committee also made a number of recommendations that it said would need the cooperation of Congress, the White House and private companies. It called for greater transparency on data collection and security risks, "modernized" IT, reduced uses of Social Security numbers as identifiers. The government should also determine whether or not the FTC's oversight is enough, keep federal contractors more accountable for their security and verify the effectiveness of post-breach services like identity protection.
In response, Equifax argued there were "significant inaccuracies" in the report and that it didn't have much time to review the findings, although TechCrunch said the ostensible errors were "nit-picks" such as the duration of credit monitoring offers and a state settlement that hasn't taken place. There weren't fundamental disagreements with the report's conclusions. Equifax added that it had implemented "meaningful steps" to bolster security and was "generally supportive" of the recommendations.
The larger question is whether or not anything will change as a result. It's easy to make recommendations, but it's another to have multiple parties implement improvements. And as we've seen, Equifax leadership hasn't always been forthright about what's going on. On top of its attempted scapegoating, it has also faced investigation for suspicious stock trades and made questionable claims that executives were 'retiring' in the wake of the breach. Equifax will have to show that it really did learn its lessons if it's going to regain trust, while officials will have to update laws and regulations to reduce the chances of a repeat.