Skip to main content
close search
site logo
Dive Brief

Equifax's 'aggressive growth strategy' contributed to IT complexity and failure

Published Dec. 11, 2018
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Getty / edited by Industry Dive

Dive Brief:

  • Equifax's "aggressive growth strategy" played a role in the increasing "complexity" of its IT system,  contributing to its security inadequacies and the 2017 data breach, according to report from the U.S. House of Representatives Committee on Oversight and Government Reform.
  • Since 2005, the credit reporting agency's former CEO Richard Smith primarily grew its market value through acquisitions. Having consistent management "while all at the same time building platforms for growth and standardization for the future … is a big task," said former CIO Graeme Payne, in testimony.
  • Additionally, Equifax was operating on custom-built IT systems, which "adds more complexity," said Payne. "And you can't go out and buy a dispute and disclosure system, you have to build it, right?"

Dive Insight:

More than a year after Equifax announced its data breach, the company is still dealing with the consequences. The company failed to patch a bug in Apache Struts, which led to a breach impacting about 145 million consumers. The patch was available months before the flaw was exploited.

In short, Equifax's breach was avoidable, the committee declared.

Custom-built and legacy systems added to Equifax's IT complexities. One of the systems used from the 1970s to 2017 contained the Automated Consumer Interview System​ (ACIS) environment, which was internet-facing.

Payne testified that Equifax was "lucky that we still had the original developers of the [ACIS] system on staff." The company feared the shrinking number of individuals who knew how to operate legacy systems.

Maintaining an old system included a number of layers which, once again, added to complexity with its technology stack of applications, database, middleware, and operating system and network.

Apache Struts was used in a number of Equifax's legacy systems, but the committee concluded the credit reporting agency didn't know what software was running in its legacy systems.

In addition to running outdated systems, the acquisitions made under Smith required system integrations, which are complex each and every time. Smith's growth strategy worked in terms of market share, but the company's overall technical and security posture could have easily taken the backseat.

The committee's findings rang a familiar tone. Equifax, similar to Marriott International, made business decisions to amplify their standings in their respective markets. The deals were beneficial on a surface level.

However, mergers and acquisitions that don't wholly address security continuity and can lead to an unforeseen risk or massive data breach years down the line. There needs to be a synergy between business leadership and technical leadership when aggressive growth strategies are in the works.

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell