Sen. Elizabeth Warren, D-Mass., released the findings of a four-month investigation into how Equifax failed to protect the personal data of more than 145 million Americans.

The new 15-page report containing the findings concludes that Equifax set up a flawed system to prevent and mitigate data security problems, ignored numerous warnings of risks to sensitive data, and failed to notify consumers, investors and regulators about the breach in a timely fashion.

The report also concludes that Equifax took advantage of federal contracting loopholes and failed to protect IRS taxpayer data, and inadequately assisted consumers following the breach.

“For years, Equifax and other big credit reporting agencies have been able to get away with profiting off cheating people,” Warren said in a statement. “Our report provides answers about what went wrong at Equifax and concludes that to hold Equifax and its peers accountable, we need real consequences for when they screw up.” 

The investigation found that the breach was made possible because Equifax adopted weak cybersecurity measures that failed to protect consumer data. The report notes that the CEO at the time of the breach, Richard Smith, testified that despite record profits in recent years, Equifax spent only a fraction of its budget on cybersecurity – approximately 3% of its operating revenue over the last three years. In contrast, the report notes, Equifax paid nearly twice as much in dividends to shareholders.

Warren opened the investigation one week after Equifax revealed its breach on Sept. 7, 2017. As part of the investigation, Warren questioned Equifax executives in Senate hearings, consulted outside experts, and sent letters containing dozens of questions to Equifax, to federal regulators and to other credit reporting agencies.

Warren’s findings come on the heels of recent reports that Office of Management and Budget Director Mick Mulvaney, who took over operational control of the Consumer Financial Protection Bureau, has “pulled back” from a probe into Equifax’s failure to protect Americans’ personal information.

“The American public deserves answers – and Mick Mulvaney needs to let the CFPB do its job and investigate Equifax’s massive data breach, not shut it down,” Warren also said in a statement.

Equifax is under investigation by the Federal Trade Commission and every state attorney general and faces more than 240 class action lawsuits, Reuters reported.

TransUnion, another credit bureau, told the newswire that the CFPB did not have the legal authority to investigate Equifax over cybersecurity concerns, but a spokesman for the bureau said it had the tools to do so.

Warren stresses in the report that federal legislation is necessary to prevent and respond to future breaches.

This legislation needs to establish appropriate fines for credit reporting agencies that allow serious cybersecurity breaches on their watch, according to Warren. It should also empower the Federal Trade Commission to establish basic standards to ensure that credit reporting agencies are adequately protecting consumer data.

In early January, Warren and Sen. Mark Warner, D-Va., introduced the Data Breach Prevention and Compensation Act that aims to do both of these things.