An institutional neglect toward cybersecurity contributed to the massive 2017 data breach at Equifax that compromised sensitive information for more than 145 million Americans, a Senate panel alleged in a new report.

The Senate Homeland Security and Governmental Affairs Committee’s Permanent Subcommittee on Investigations on Wednesday night released its conclusions from a probe into the incident and said Equifax failed to take basic steps to protect its security system from vulnerabilities.

ADVERTISEMENT

“Based on this investigation, the Subcommittee concludes that Equifax’s response to the March 2017 cybersecurity vulnerability that facilitated the breach was inadequate and hampered by Equifax’s neglect of cybersecurity,” the panel wrote in its report. “Equifax’s shortcomings are long-standing and reflect a broader culture of complacency toward cybersecurity preparedness.”

The report was released the night before Equifax CEO Mark Begor, who joined the company after the data breach, testified before the subcommittee. He apologized to the panel for the incident but took issue with the report’s findings.

“The fact that Equifax suffered a data breach does not mean the company did not have a data security program or failed to take cybersecurity seriously,” Begor said.

According to the Senate report, an internal Equifax audit discovered software measures were “not adequately designed to ensure Equifax systems are securely configured and patched in a timely manner.” That audit found more than 8,500 vulnerabilities had gone unaddressed for at least 90 days.

The hack exploited a vulnerability in a programming software called Apache Struts. The Senate report alleged that Equifax — unlike its two biggest credit reporting competitors, TransUnion and Experian — failed to patch the vulnerability, despite wide reports that it could be easily exploited.

“Without the patch, individuals with basic computer skills — not just skilled hackers — could follow published instructions and exploit the vulnerability,” the Senate panel said.

Equifax announced the breach on Sept. 7, 2017 — six weeks after it first discovered the incident. Multiple federal agencies launched an investigation into the company’s handling of the breach but no enforcement actions have been taken.