Add another big name to the list that wants answers from Equifax over its massive data breach that exposed the personal information of 143 million people.
Equifax is facing investigations from the Consumer Financial Protection Bureau, the House Financial Services Committee, and the office of New York Attorney General Eric Schneiderman, and Tuesday, Massachusetts Attorney General Maura Healey announced that the state plans to sue the credit reporting agency for failing to protect the personal information of approximately three million of the state’s residents.
But that’s not all.
The leaders of the Senate Finance Committee want answers too.
In a rare moment of bipartisanship, Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Oregon, sent a letter on Monday to Equifax, suggesting that the data stolen from Equifax could have “profound consequences” to consumers and federal agencies alike.
“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” the senators wrote in the letter. “To make matters worse, Equifax is a critical partner of the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies that are the sources and recipients of the some of the most sensitive information affecting individuals, as well as the targets of the vast majority of identity theft fraud against taxpayers.”
According to the senators’ letter, every year, stolen personal data is used to commit “billions of dollars against the U.S. Treasury in the form of stolen identity, fraudulent tax returns and Medicare and Medicaid fraud.”
And the senators state that impact of the Equifax breach could be significant.
“If the names, Social Security numbers, birth dates, and other information of 143 million Americans are now in the hands of cybercriminals, this breach will cause irreparable harm to programs within this Committee’s jurisdiction by way of stolen identity refund fraud, healthcare fraud, and entitlement fraud,” the senators write.
In the letter, the senators include 13 questions that they want Equifax to provide answers for by the end of the month.
The senators state that they want more information from Equifax to “better understand what occurred, the consequences of the breach, and how we might respond to mitigate the damage.” Included among the senators’ questions are:
Provide the Committee a detailed timeline of the breach, including when it began, its discovery, the investigation of its scope and source, notification of authorities, efforts to notify customers and consumers, notification to the Equifax board of directors, and notification of Equifax senior executives – including, but not limited to, John Gamble Jr., Rodolfo Ploder, and Joseph Loughran.
What steps has Equifax taken to identify and limit potential consumer harm associated with this breach?
Please describe the resources that Equifax has focused on its own information security. Does Equifax employ a Chief Information Security Officer? If so, to whom does this person report? How many full-time employees focus on information security? Do any members of Equifax's board of directors have a background in information security?
In the past 24 months, how many times has Equifax employed third-party cyber security experts to conduct penetration tests of its internal and external systems? Has the company addressed all of the issues identified by these experts and implemented all of their recommendations? Please provide us with copies of all penetration test and audit reports produced for Equifax by outside cyber security firms.
Were records related to the Internal Revenue Service, Centers for Medicare & Medicaid Service, and Social Security Administration compromised in the breach? Has Equifax alerted or will it alert its federal agency customers about the degree and scope to which federal records may have been compromised?
To read the senators’ letter in full, click here.