- Equifax's "aggressive growth strategy" played a role in the increasing "complexity" of its IT system, contributing to its security inadequacies and the 2017 data breach, according to report from the U.S. House of Representatives Committee on Oversight and Government Reform.
- Since 2005, the credit reporting agency's former CEO Richard Smith primarily grew its market value through acquisitions. Having consistent management "while all at the same time building platforms for growth and standardization for the future … is a big task," said former CIO Graeme Payne, in testimony.
- Additionally, Equifax was operating on custom-built IT systems, which "adds more complexity," said Payne. "And you can't go out and buy a dispute and disclosure system, you have to build it, right?"
More than a year after Equifax announced its data breach, the company is still dealing with the consequences. The company failed to patch a bug in Apache Struts, which led to a breach impacting about 145 million consumers. The patch was available months before the flaw was exploited.
In short, Equifax's breach was avoidable, the committee declared.
Custom-built and legacy systems added to Equifax's IT complexities. One of the systems used from the 1970s to 2017 contained the Automated Consumer Interview System (ACIS) environment, which was internet-facing.
Payne testified that Equifax was "lucky that we still had the original developers of the [ACIS] system on staff." The company feared the shrinking number of individuals who knew how to operate legacy systems.
Maintaining an old system included a number of layers which, once again, added to complexity with its technology stack of applications, database, middleware, and operating system and network.
Apache Struts was used in a number of Equifax's legacy systems, but the committee concluded the credit reporting agency didn't know what software was running in its legacy systems.
In addition to running outdated systems, the acquisitions made under Smith required system integrations, which are complex each and every time. Smith's growth strategy worked in terms of market share, but the company's overall technical and security posture could have easily taken the backseat.
The committee's findings rang a familiar tone. Equifax, similar to Marriott International, made business decisions to amplify their standings in their respective markets. The deals were beneficial on a surface level.
However, mergers and acquisitions that don't wholly address security continuity and can lead to an unforeseen risk or massive data breach years down the line. There needs to be a synergy between business leadership and technical leadership when aggressive growth strategies are in the works.