A financial index provider foretold the Equifax Inc. data breach more than a year ago, warning that the rating agency “is vulnerable to data theft and security breaches.”

In an August 2016 report, MSCI Inc. – which selects index stocks based on its analysis of a company’s performance on environmental, social and governance issues – concluded that “Equifax shows no evidence of data breach plans or regular audits of its information security policies and systems.”

“Equifax’s data security and privacy measures have proved insufficient in mitigating data breach events,” MSCI cautioned.  “The company’s credit reporting business faces a high risk of data theft and associated reputational consequences. The 2016 breach of tax and salary data of 431,000 employees’ belonging to its key client (Kroger’s) is a key example of this risk materializing”

MSCI assigned a “zero” score to Equifax’s privacy and data security on a 10-point scale and downgraded the company to its lowest rating.

News of the MSCI warning surfaced last week after the credit reporting agency’s former CEO, Richard F. Smith, spent three days testifying in Washington, D.C. before four separate congressional committees. 

While Mr. Smith’s week in Washington was punctuated by angry lawmakers grilling him about the company’s lack of cyber hygiene – interspersed with frequent apologies from Smith – the former CEO did confirm the root cause of the breach which exposed the records of more than 145 U.S. consumers. In his testimony, Smith referred to “an individual” in the company’s IT department who failed to follow security warnings and did not ensure that a software vulnerability was patched.  The company previously disclosed that the breach was due to an unpatched software flaw but Smith said “human error and technology failures” were to blame.