While Equifax refrained from using the word “hacked” last week, the credit reporting agency, nevertheless, disclosed a serious breach of its security involving the personal and sensitive information of an estimated 143 million Americans.
But serious questions remain: Could the breach have been easily averted? Was this “cybersecurity incident” truly an advanced attack, meticulously planned and executed in such a way that Equifax could not have been reasonably expected to stop it? Or is this yet another case of gross corporate negligence, a failure for which the American public will be left to suffer?
A bipartisan letter signed Monday by leaders of the Senate Finance Committee demands answers to these questions and more from Equifax Chairman and CEO Richard Smith. And the Committee expects to hear those answers by the end of the month.
The letter, co-signed by the committee’s Republican chairman, Sen. Orrin Hatch, and its ranking Democrat, Sen. Ron Wyden, spells out precisely why the public deserves to know the truth: “The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers.”
The senators continue: “To make matters worse, Equifax is a critical partner of the Internet Revenue Service, Centers for Medicare & Medicaid, the Social Security Administration and other federal agencies that are the sources and recipients of… some of the most sensitive information affecting individuals, as well as the targets of the vast majority of identity theft fraud against taxpayers.”
Among a myriad of particulars surrounding the incident, the committee has requested of Equifax a detailed timeline of the breach itself—including, most conspicuously, information about when its board of directors were first notified. Sen. Wyden’s office is hoping, Gizmodo has confirmed, that those details will shed light on what specifically Equifax’s executives knew amid suspicious financial activity at the company early last month.
Three Equifax executives sold roughly $1.8 million worth of company shares in August, just days after the company says the breach was discovered. A company spokesperson says the executives “had no knowledge” of the breach when the sales took place. But analysts have now characterized as “unusual” a significant uptick in Equifax options traded in the period between when the breach was discovered and when the company notified the public 41 days later.
What’s more, the committee has asked Equifax’s CEO to account for what caused the so-called “website application vulnerability” that the company claims was exploited by “criminals” to achieve the “intrusion.” The questions seem crafted to uncover whether Equifax itself should share in the blame.
“At the time the breach first occurred, were all of Equifax’s Internet-facing applications’ security updates installed? Or were these exploited due to an unknown flaw?” the letter asks. Moreover, the committee wants to know what procedures Equifax had in place, if any, to “receive and act on vulnerability reports from outside parties including security researchers?”
Equifax is asked as well to offer a more exhaustive description of the data potentially stolen and the steps it’s taken to identify and limit potential harm to consumers. The committee is also concerned about whether records from any of the aforementioned federal agencies that partner with Equifax may have been compromised as well.
“Equifax maintains The Work Number database, which is the largest central repository of employer-related human resource and payroll information in the U.S.,” the letter says. “The database contains millions of employee records, including those of the majority of federal government employees and 75% of Fortune 500 companies. Was this information compromised?”
The Senators asked Equifax’s CEO to respond “no later than” Sept. 28.
Read a full copy of the committee’s letter below: