Congress Acts to Investigate Equifax’s Massive Cybersecurity Leak

On September 7, the credit-monitoring company Equifax announced a cybersecurity breach that potentially impacted 143 million Americans. 

“It was a painful announcement because of the concern and frustration this incident has created for so many consumers. We apologize to everyone affected. This is the most humbling moment in our 118-year history,” wrote Richard F. Smith, CEO of Equifax, in a letter on September 12. 

Not only was tens of millions of U.S. resident’s personal information compromised, the company is being criticized for waiting six weeks to officially announce the breach.  

“Equifax Security first discovered the intrusion on July 29. Understandably, many people are questioning why it took six weeks to report the incident to the public. Shortly after discovering the intrusion, we engaged a leading cybersecurity firm to conduct an investigation,” wrote Smith. “At the time, we thought the intrusion was limited. The team, working with Equifax Security personnel, devoted thousands of hours during the following weeks to investigate.” 

Smith has assured the public that the Equifax team is “doing everything they can” and that they are working “around the clock.” 

“We took the unprecedented step of offering credit file monitoring and identity theft protection to every U.S. consumer. Every consumer, whether affected or not, has the option of signing up for the services,” wrote Smith. “We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again. We will make changes and continue to strengthen our defenses against cyber crimes. We will make sure every consumer who wants protection has a full package of services. And we will continue to update everyone on our progress.”

The breach has been deemed as one of the biggest in history due to its size and the sensitive personal data the company has access to. Millions of birth dates, social security numbers, and driver license numbers have been collected to run credit reports by Equifax.  

“The firm set up a website allowing individuals to check if their information was potentially compromised, but it requires users to plug in their last name and last six digits of their Social Security numbers. That raises the question of why anyone would trust Equifax with even a partial Social Security number at this stage,” writes LA Times.  

With that being said, the massive breach has concerned high-ranking U.S. lawmakers. Last week, House Financial Services Committee Chairman Jeb Hensarling (R-Tex.) said that his committee is going to hold a hearing on the breach.

“This is obviously a very serious and very troubling situation and our committee has already begun preparations for a hearing,” said Hensarling in a statement. “Large-scale security breaches are becoming all too common. Every breach leaves consumers exposed and vulnerable to identity theft, fraud and a host of other crimes, and they deserve answers.”

Another chairman, Greg Walden of the House Energy and Commerce Committee also is planning to hold a hearing about the data breach and has requested a testimony from Smith on October 3.

“After receiving an initial briefing from Equifax, I have decided to hold a hearing on the matter so that we can learn what went wrong and what we need to do to better protect consumers from serious breaches like this in the future,” said Walden. 

“We look forward to hearing directly from Mr. Smith on this unprecedented breach that has raised serious questions about the security of consumers’ personal information,” said Walden in a joint statement with Rep. Bob Latta. “We know members on both sides of the aisle appreciate Mr. Smith’s willingness to come before the committee and explain how our constituents might be impacted and what steps are being taken to rectify this situation.” 

But wait, there’s more…

Congressman Ted W. Lieu (D-Calif.) wrote a letter to the House Judiciary Committee urging them to further investigate. Lieu wants all credit reporting agencies, not just Equifax to share their cybersecurity practices. 

“Ultimately, consumer credit agencies should be one of our lines of defense against cyber attacks, and it is deeply disturbing whenever a firm that holds such valuable information gets breached,” said Lieu.  

Sadly, this isn’t the first time Equifax has had a lapse in cybersecurity either. 

“That suit related to a May 2016 incident in which Equifax’s W-2 Express website had suffered an attack that resulted in the leak of 430,000 names, addresses, social security numbers and other personal information of retail firm Kroger. Lawyers for the class action plaintiffs argued Equifax had “wilfully ignored known weaknesses in its data security, including prior hacks into its information systems,” writes Forbes. 

Then in May 2017, Equifax alerted customers of another breach. 

“As independent cybersecurity reporter Brian Krebs reported in May 2017 an Equifax note to customers that hackers had used personal information to guess personal questions of employees in order to reset the 4-digit PIN given and stolen tax data. In its disclosure, Equifax said the unauthorized access to the information occurred between April 17, 2016, and March 29 the following year,” writes Forbes. 

Then in January 2017, Equifax confessed that a “small number” of customers at partner LifeLock had their data leaked.  

And the list of data leaks by Equifax just goes on and on… 

Author’s note: This is terrifying. Lieu has a point; all credit reporting agencies need to share how they are protecting customer’s sensitive personal information. With the information Equifax has that now has been leaked, identity theft is bound to happen.