Sen. Elizabeth Warren, D-Mass., released the findings of a four-month investigation into how Equifax failed to protect the personal data of more than 145 million Americans.
The new 15-page report containing the findings concludes that Equifax set up a flawed system to prevent and mitigate data security problems, ignored numerous warnings of risks to sensitive data, and failed to notify consumers, investors and regulators about the breach in a timely fashion.
The report also concludes that Equifax took advantage of federal contracting loopholes and failed to protect IRS taxpayer data, and inadequately assisted consumers following the breach.
"For years, Equifax and other big credit reporting agencies have been able to get away with profiting off cheating people," Warren said in a statement. "Our report provides answers about what went wrong at Equifax and concludes that to hold Equifax and its peers accountable, we need real consequences for when they screw up."
The investigation found that the breach was made possible because Equifax adopted weak cybersecurity measures that failed to protect consumer data. The report notes that the CEO at the time of the breach, Richard Smith, testified that despite record profits in recent years, Equifax spent only a fraction of its budget on cybersecurity – approximately 3% of its operating revenue over the last three years. In contrast, the report notes, Equifax paid nearly twice as much in dividends to shareholders.
Warren opened the investigation one week after Equifax revealed its breach on Sept. 7, 2017. As part of the investigation, Warren questioned Equifax executives in Senate hearings, consulted outside experts, and sent letters containing dozens of questions to Equifax, to federal regulators and to other credit reporting agencies.
Warren's findings come on the heels of recent reports that Office of Management and Budget Director Mick Mulvaney, who took over operational control of the Consumer Financial Protection Bureau, has "pulled back" from a probe into Equifax's failure to protect Americans' personal information.
