Senate Finance Committee Chairman Orrin Hatch (R-Utah) and Ranking Member Ron Wyden (D-Ore.) called on Equifax Inc., to respond to reports that the firm experienced a data breach exposing personally identifiable information such as Social Security numbers, birthdates, addresses and driver’s license numbers of approximately 143 million Americans. In addition, credit card information of more than 200,000 people was compromised.
“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” the senators wrote in a letter. “To make matters worse, Equifax is a critical partner of the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies that are the sources and recipients of the some of the most sensitive information affecting individuals, as well as the targets of the vast majority of identity theft fraud against taxpayers.”
Each year, stolen personal data is used to commit billions of dollars against the U.S. Treasury in the form of stolen identity, fraudulent tax returns and Medicare and Medicaid fraud. This breach could have profound consequences for numerous federal agencies and programs within the Finance Committee’s jurisdiction that are vulnerable to this type of fraud.
The letter, below, requests details on the breach and information about what is being done to mitigate its effects.
Dear Mr. Smith,
The U.S. Senate Committee on Finance has jurisdiction over numerous federal agencies and programs that are vulnerable to fraud through the use of personally identifiable information (PII) such as names, Social Security numbers, and birth dates. The use of stolen PII results in tens of billions of dollars of fraud against the U.S. Treasury each year in the form of stolen identity, fraudulent tax refunds, Medicare and Medicaid fraud, in addition to other crimes. Furthermore, the use of stolen PII affects tens of millions of Americans each year through consumer fraud and identity theft.
On September 7, 2017, Equifax, Inc. (“Equifax”) announced that, on July 29, the company discovered a cybersecurity breach in which an unknown entity or entities accessed sensitive information—including names, Social Security numbers, birth dates, addresses, in some cases driver’s license numbers, and possibly other sensitive information—of approximately 143 million Americans. In addition, the breach exposed credit card numbers for about 209,000 Americans and sensitive dispute documents of approximately 182,000. Press reports indicate that the breach occurred between mid-May through July, when criminals gained access to Equifax systems and files by exploiting a vulnerability in the company’s website.
Equifax, in addition to retailers, health insurers, internet companies and federal government agencies, have been targeted in security breaches in recent years which have resulted in the theft of the PII of tens of millions of Americans. The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers. To make matters worse, Equifax is a critical partner of the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies that are the sources and recipients of the some of the most sensitive information affecting individuals, as well as the targets of the vast majority of identity theft fraud against taxpayers.
If the names, Social Security numbers, birth dates, and other information of 143 million Americans are now in the hands of cybercriminals, this breach will cause irreparable harm to programs within this Committee’s jurisdiction by way of stolen identity refund fraud, healthcare fraud, and entitlement fraud.
To help the Committee better understand what occurred, the consequences of the breach, and how we might respond to mitigate the damage, we ask that you respond to the following question:
Provide the Committee a detailed timeline of the breach, including when it began, its discovery, the investigation of its scope and source, notification of authorities, efforts to notify customers and consumers, notification to the Equifax board of directors, and notification of Equifax senior executives – including, but not limited to, John Gamble Jr., Rodolfo Ploder, and Joseph Loughran.
Please describe Equifax’s efforts to identify the scope of affected consumers and breadth of information compromised.
What steps has Equifax taken to identify and limit potential consumer harm associated with this breach?
Does Equifax plan to provide notice to each affected consumer, or will it rely on the consumer-initiated checks found at “equifaxsecurity2017.com” to inform them?
The site states that “[t]he information accessed primarily includes names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license numbers,” (emphasis added). What other information was or may have been accessed on these accounts?
As a remedy to those whose PII was accessed, Equifax is offering free, temporary access to its own identity protection services. Does the firm plan to promote its paid service to these individuals at the end of the free year?
Credit monitoring can protect against identity thieves opening new accounts, but what protection does Equifax plan to offer consumers who may have had their existing credit accounts compromised?
The site’s terms of service contain a binding arbitration clause, binding participants of the program from participating in any class-action lawsuits that may arise from the incident. Friday morning, Equifax updated their terms of service to include an opt-out provision giving consumers 30 days to notify Equifax in writing that they do not wish to participate in the arbitration provision. Please explain the decision to require this opt-out to be made in writing. Do any other services provided byequifaxsecurity2017.com require consumers to contact Equifax in writing? Are there any technical barriers preventing Equifax from providing consumers the ability to opt-out on the equifaxsecurity2017.com site?
Please describe the resources that Equifax has focused on its own information security. Does Equifax employ a Chief Information Security Officer? If so, to whom does this person report? How many full-time employees focus on information security? Do any members of Equifax’s board of directors have a background in information security?
In the past 24 months, how many times has Equifax employed third-party cyber security experts to conduct penetration tests of its internal and external systems? Has the company addressed all of the issues identified by these experts and implemented all of their recommendations? Please provide us with copies of all penetration test and audit reports produced for Equifax by outside cyber security firms.
Does Equifax have procedures in place to receive and act on vulnerability reports from outside parties including security researchers? If so, please describe these procedures, when they were implemented, and how frequently the company acts to remediate vulnerabilities identified by third-parties.
Equifax has stated that the breach occurred due to criminals exploiting “a U.S. website application vulnerability….” At the time that the breach first occurred, were all of Equifax’s Internet-facing applications’ security updates installed? Or were these exploited due to an unknown flaw?
Were records related to the Internal Revenue Service, Centers for Medicare & Medicaid Service, and Social Security Administration compromised in the breach? Has Equifax alerted or will it alert its federal agency customers about the degree and scope to which federal records may have been compromised?
Equifax maintains The Work Number database, which is the largest central repository of employer-related human resources and payroll information in the U.S. The database contains millions of employee records, including those of the majority of federal government employees and 75% of Fortune 500 companies. Was this information compromised?
In the wake of recent IRS data losses and inadvertent disclosures, the agency directed taxpayers to send sensitive information on dependent children to Equifax – including in some cases copies of Social Security cards, birth certificates, and other information. Was this information compromised?
Earlier this year, identity thieves stole W-2 tax data and other employee tax records via TALX, an Equifax subsidiary that provides online payroll and tax services. Please describe this incident in detail and explain what steps Equifax took to improve cybersecurity in the wake of this intrusion.
We ask that Equifax respond electronically to this request no later than Thursday, September 28, 2017. We also ask that you provide your answers on a question-by-question basis, indicating which question you are answering. Thank you in advance for your cooperation with this request.