The Equifax data breach in 2017 that affected approximately 146 million users worldwide was "entirely preventable", according to a US House of Representatives Committee, which concluded that the company failed to use even the most basic of security measures to prevent unauthorised access.
The House Oversight and Government Reform Committee released a staff reportfollowing a 14-month investigation into the Equifax data breach, one of the largest data breaches in US history.
The Committee reviewed over 122,000 pages of documents, conducted transcribed interviews with three former Equifax employees directly involved with IT, and met with numerous current and former Equifax employees, in addition to work conducted by Mandiant, the forensic firm hired to probe breach.
The findings point a finger at former Equifax CEO Richard Smith, who the committee said embarked on an aggressive growth strategy in 2015, leading to the acquisition of multiple companies, IT systems and data.
While the acquisition strategy was successful for Equifax's bottom line and stock price, the growth brought increasing complexity to Equifax's IT systems and expanded data security risks.
"In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing 'almost 1,200 times' the amount of data held in the Library of Congress every day," the report said.
"Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."
Equifax revealed it had been hit by hackers in September 2017, with criminals stealing sensitive personal information on 146 million customers in the US, UK and Canada.
Of the 15 million UK users affected, it was thought that 30,000 of these had their email addresses leaked, and around 15,000 had partial credit card information stolen alongside basic personal information. But, it later emerged that hackers were also able to access US taxpayer ID numbers and their associated email addresses and phone numbers.
The verdict is damning for Equifax, but Chris Morales, head of security analytics at Vectra feels its a little unrealistic in this age of data security.
"I don't believe prevention will ever be 100%. That is unrealistic. I bring this up because the report states the breach was entirely preventable. I don't believe that to be true," he said.
"All networks have become highly complex and the failure comes down to people and process, not necessarily technology. As long as a motive exists, attackers will continuously attempt to compromise networks until they succeed. It is the same notion as building a wall would stop the drug trade. The criminal build tunnels instead."
