Sen. Elizabeth Warren, D-Mass., released the findings of afour-month investigation into how Equifax failed to protect the personal dataof more than 145 million Americans.

The new 15-page report containing the findingsconcludes that Equifax set up a flawed system to prevent andmitigate data security problems, ignored numerous warnings of risksto sensitive data, and failed to notify consumers, investors andregulators about the breach in a timely fashion.

The report also concludes that Equifax took advantage of federalcontracting loopholes and failed to protect IRS taxpayer data, andinadequately assisted consumers following the breach.

“For years, Equifax and other big credit reporting agencies havebeen able to get away with profiting off cheating people,” Warrensaid in a statement. “Our report provides answers about whatwent wrong at Equifax and concludes that to hold Equifax and itspeers accountable, we need real consequences for when they screwup.”

The investigation found that the breach was made possiblebecause Equifax adopted weak cybersecurity measures that failed toprotect consumer data. The report notes that the CEO at the time ofthe breach, Richard Smith, testified that despite record profits inrecent years, Equifax spent only a fraction of its budget oncybersecurity – approximately 3% of its operating revenue over thelast three years. In contrast, the report notes, Equifax paidnearly twice as much in dividends to shareholders.

Warren opened the investigation one week afterEquifax revealed its breach on Sept. 7, 2017. As part of theinvestigation, Warren questioned Equifax executives in Senatehearings, consulted outside experts, and sent letters containingdozens of questions to Equifax, to federal regulators and to othercredit reporting agencies.

Warren’s findings come on the heels ofrecent reports that Office of Management and BudgetDirector Mick Mulvaney, who took over operational control ofthe Consumer Financial Protection Bureau, has “pulled back”from a probe into Equifax’s failure to protect Americans’ personalinformation.

“The American public deserves answers – and Mick Mulvaney needsto let the CFPB do its job and investigate Equifax’s massive databreach, not shut it down,” Warren also said in a statement.

Equifax is under investigation by the Federal Trade Commissionand every state attorney general and faces more than 240 classaction lawsuits, Reuters reported.

TransUnion, another credit bureau, told the newswire that theCFPB did not have the legal authority to investigate Equifax overcybersecurity concerns, but a spokesman for the bureau said it hadthe tools to do so.

Warren stresses in the report that federal legislation isnecessary to prevent and respond to future breaches.

This legislation needs to establish appropriate fines for creditreporting agencies that allow serious cybersecurity breaches ontheir watch, according to Warren. It should also empower theFederal Trade Commission to establish basic standards to ensurethat credit reporting agencies are adequately protecting consumerdata.

In early January, Warren and Sen. Mark Warner, D-Va., introducedthe Data Breach Prevention and Compensation Act that aims todo both of these things.