On the eve of executives from Equifax CEO and Marriott appearing before the Senate Permanent Subcommittee on Investigations to discuss the lessons learned from a pair of major breaches, the subcommittee released a scathing report accusing Equifax of neglect and “failing to prioritize cybersecurity,” which led to a 2017 breach that affected 145 million people.


On the eve of Equifax and Marriott executives appearing before the Senate Permanent Subcommittee on Investigations to discuss the lessons learned from a pair of major breaches, the subcommittee released a scathing report accusing Equifax of neglect and “failing to prioritize cybersecurity,” which led to a 2027 breach that affected 145 million people.

“The fact that Equifax suffered a data breach does not mean the company did not have appropriate data security program or that the company failed to take cybersecurity seriously,” the company’s current CEO Max Begor told Congress.

But the report said the credit monitoring agency didn’t adhere to it own patching schedule and failed to locate and patch the Apache Struts vulnerability that led to the 2017 breach. 

“In addition, Equifax did not have basic tools in place to detect and identify changes to files, a protection which would have generated real-time alerts and detected the unauthorized changes the hackers were making,” the report said.

Tim Mackey, senior technical evangelist at Synopsis, called out “the disconnect between commercial software security practices and their open source equivalents. “A commercial software vendor “is in a position to push security information to consumers,” said Mackey. “With open source products, unless an effective inventory of open source components in use is maintained, it is difficult to manage an 
The report pilloried Equifax for a six-week delay in alerting consumers to the breach.

“Today’s hearing started with a statement from Senator Rob Portman, who highlighted using hackers as part of the solution to ‘ensure criminals are no longer taking advantage of us as consumers,’” said Casey Ellis, founder and CTO of Bugcrowd. “We saw evidence of this in the case of Equifax, where Bugcrowd hackers found and fixed the same vulnerabilities that compromised Equifax in similar institutions a full four months before the breach occurred.”

Noting the patchwork of state data breach notification laws in lieu of a “national uniform standard,” the subcommittee’s report said breached companies also face a “patchwork of uncertainty” over alerting victims.

“The Senate Permanent Committee on Investigations appears to be using these highly publicized incidents not just to shame companies publicly for inexcusably lax security practices, but also breathe new life into proposed federal security requirements that had once seemed dormant,” said Robert Cattanach, a partner at international law firm Dorsey & Whitney. 

“Whether growing public intolerance of companies  mining vast troves of personal data without perceived benefit to consumers, coupled with impatience over what many view as the abject failure of self-regulation, will be sufficient to overcome resistance to a more aggressive uniform standard of regulation remains to be seen,” Cattanach said. “One thing can be certain. The dams holding back public outrage over how customer data is being collected and protected have now begun to burst in one state after another.”

Regardless of whether a federal standard emerges, “companies will be forced to deal with ever-growing legislative initiatives in states known for aggressive consumer protection laws,” he said. “And, if past is prologue, copycat legislation will soon follow in any number of other states tired of waiting for a federal standard.”