By Nicole D. Prysby, J.D.
On September 7, Sen. Elizabeth Warren (D-Mass) and Rep. Elijah E. Cummings (D-Md) released a Government Accountability Office report detailing failures by Equifax in the 2017 cyber breach that exposed personal data of more than 145 million Americans. In the announcement, the legislators state that the report demonstrates that Equifax and other credit reporting agencies continue to profit from failing to protect personal information and that so far, the administration has taken no enforcement action against the company. Warren also stated that the breach shows the need for legislation to protect consumers and that her proposed Data Breach Prevention and Compensation Act would have required Equifax to pay $1.5 billion in penalties for the breach.
As previously reported (see Banking and Finance Law Daily, Sept. 8, 2017), criminals exploited an Equifax website application vulnerability to gain access to consumer information in 2017. The information accessed included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. According to the GAO report, the breach was accomplished using a specific vulnerability that the United States Computer Emergency Readiness Team had publicly identified two days before the intrusion began. The attack continued for over two months before it was discovered.
Report. The GAO report, Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach (GAO-18-559), focuses on steps taken by Equifax following the breach and actions taken by federal agencies in response to the breach. After learning of the attack, Equifax blocked the access and investigated the factors that allowed the breach. The company concluded that it did not properly identify the vulnerability in the network and did not circulate the need for a patch to the responsible individuals. An expired digital certificate contributed to the attackers’ ability to communicate with compromised servers and steal data without detection. The failure to segment databases allowed the attackers to gain access to additional databases and remove large amounts of information. The attackers were able to query databases because they gained access to a database that contained unencrypted usernames and passwords for accessing additional databases.
Identity verification services. Following the announcement of the breach, the Internal Revenue Service, Social Security Administration, and U.S. Postal Service—three of the major federal customer agencies that use Equifax’s identity verification services—conducted assessments of the company’s security controls. These assessments identified a number of lower-level technical concerns that Equifax was directed to address. The IRS, SSA, and USPS also made adjustments to their contracts with Equifax, such as modifying notification requirements for future data breaches. In the case of IRS, one of its contracts with Equifax was terminated.
Investigation. In addition, the Consumer Financial Protection Bureau and Federal Trade Commission initiated an investigation into the breach and Equifax’s response in September 2017, but have not concluded their investigation. Warren and Cummings sent a letter to the CFPB and FTC seeking information on whether they plan to hold Equifax accountable for the data breach. The letter points out that Equifax had advance notice of its security vulnerabilities and its executives failed to make the breach public for more than a month after they discovered the intrusion. In the six months after the data breach, the CFPB received more than 20,000 complaints about Equifax, but to date there has been no action to hold the company accountable.
MainStory: TopStory CFPB ConsumerCredit CyberPrivacyFeed IdentityTheft OversightInvestigations Privacy
Interested in submitting an article?
Submit your information to us today!Learn More
Banking and Finance Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.