news

U.S. Congresswoman Debbie Dingell (MI-12) and Democratic colleagues on the House Energy and Commerce Committee sent a letter to Equifax Chairman and CEO Richard Smith requesting more information about the massive data breach that exposed the sensitive personal information of approximately 143 Americans including Social Security numbers, addresses, driver’s license numbers, and credit card numbers. The members asked how the breach occurred and what steps the company is taking to protect consumers’ data and safeguard against future security breaches. Equifax’s public announcement occurred more than a month after the company discovered the data breach on July 29, 2017, and nearly four months after the unauthorized access first occurred.

“Your company profits from collecting highly sensitive personal information from American consumers – it should take seriously its responsibility to keep data safe and to inform consumers when its protections fail,” the Representatives wrote.

“We are writing with serious concerns about the immense scale of this data breach, and we have a number of questions about whether Equifax took appropriate steps to safeguard the personal information of consumers,” they continued. “We also have concerns about the amount of time it took for Equifax to notify the public of the breach and about the way Equifax is providing information to consumers.”

With an Energy and Commerce hearing expected in October, the members have requested answers to a series of questions prior to the hearing, including:

• Why did it take Equifax more than a month to announce this massive data breach? 
• How did Equifax determine that offering credit monitoring services for one year – provided by Equifax itself – would be adequate to make consumers whole? 
• How much money per year would an affected customer pay Equifax to extend the “complimentary” credit monitoring services beyond one year?  How much money would Equifax make after one year on credit monitoring services that would be unnecessary but for Equifax’s failure to safeguard consumer data?
• What measures is Equifax implementing after the event to improve the protection of consumer information residing on its network?
• What measures is the company taking to investigate the sale of stock in the aftermath of the company’s discovery of the data breach, including whether these or other executives sought to delay the announcement of the data breach?
• What measures, other than offering credit monitoring services and identity theft protection, is Equifax taking to mitigate harm to consumers?

Full text of the letter can be read here and below:

Richard F. Smith

Chairman and CEO, Equifax Inc.

1550 Peachtree Street NE

Atlanta, GA 30309

Dear Mr. Smith:

Equifax announced on Thursday, September 7, 2017, that hackers had compromised the sensitive personal data—including Social Security Numbers, birth dates, names, addresses and other information—of “approximately 143 million U.S. consumers.”^[i]  This announcement came more than a month after the company discovered the data breach on July 29, 2017, and nearly four months after the unauthorized access first occurred.^[ii] 

Equifax’s public announcement of the breach directed consumers to the website equifaxsecurity2017.com.  Almost immediately, reports surfaced of a number of problems with the website.^[iii]  Some browsers were flagging the website as a phishing scam.^[iv]  Consumers reported that to find out if their information was compromised, the website requested two-thirds of people’s Social Security numbers in combination with their last names.^[v]  And even after providing that information, the status of their personal information is unclear or misleading.^[vi]  People who checked the website on both their mobile device and a computer received different results.^[vii]  And false information entered into the fields provides the same result as real information.^[viii]

We are writing with serious concerns about the immense scale of this data breach, and we have a number of questions about whether Equifax took appropriate steps to safeguard the personal information of consumers.  We also have concerns about the amount of time it took for Equifax to notify the public of the breach and about the way Equifax is providing information to consumers. 

In order to access credit, and to participate in the modern economy, American consumers have virtually no choice but to entrust their sensitive personal information to the three main credit bureaus, including your company.  Consumers cannot avoid sharing their personal information with your company by simply choosing to transact business elsewhere, and many consumers may be unaware that your company actually has their personal information.  It is critical for companies like yours to protect consumer data, and to inform consumers when those protections fail. 

We seek answers to the following questions about what actions the company is taking to make consumers whole, how the breach occurred, and what the company is doing to safeguard against security breaches in the future:

1. Equifax’s press release stated that criminals exploited a “website application vulnerability to gain access to certain files.”^[ix]  What was the specific vulnerability that was exploited?  What is Equifax doing to identify other weaknesses in its data security program?  Does the company conduct regular security audits?  If so, how often?  Please explain in detail the process for any such security audits.
2. What security controls were in place that failed to protect sensitive consumer information?  How recently were these security controls audited?  How were the criminals able to conduct the exfiltration of consumer data by exploiting the website vulnerability?
3. Why were the Equifax network operations and security staff unaware that volumes of data involving 143 million U.S. consumers had been exfiltrated from the Equifax network for so long?  Does Equifax regularly monitor for intrusions into its network?  Was it conducting regular monitoring during the time of the breach?
4. This breach is the third that Equifax has experienced in two years.^[x]  What changes to its data security plans and procedures did Equifax make following each of the two previous data breaches?
5. What operational and technical measures is Equifax implementing after the event to improve the protection of consumer information residing on its network?
6. Equifax’s press release notes that the “information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers,” but that for some consumers, credit card numbers and “certain dispute documents with personal identifying information … were accessed.”^[xi]  What specific dispute documents were accessed in this breach?  What other personal identifying information was compromised?
7. Why did it take Equifax more than a month to announce this massive data breach?  What specific actions did Equifax take in this time to protect consumer information and mitigate potential harms to consumers resulting from the breach?
8. What is Equifax doing to notify individual consumers whose information was compromised in the data breach?  According to Equifax’s press release, the company will directly notify consumers “whose credit card numbers or dispute documents with personal identifying information were impacted.”^[xii]  Does this mean that Equifax will directly notify only a portion of the 143 million consumers whose personal information was compromised?
9. What federal and state officials has Equifax notified of the data breach?  When did Equifax notify these officials?  It is our understanding that consumers in the United Kingdom and Canada were also affected by this breach.  When and how were those consumers and government officials notified?
10. Bloomberg has reported that three senior executives of Equifax “sold shares worth almost $1.8 million” on August 1, 2017—just days after the company discovered the breach on July 29, 2017.^[xiii]  What measures is the company taking to investigate the sale of stock in the aftermath of the company’s discovery of the data breach, including whether these or other executives sought to delay the announcement of the data breach?  What date did these officials find out that there was a breach?
11. What procedures does Equifax have in place for notifying senior officers within the company in the event of a data breach?  Did Equifax comply with those procedures in this case?  Are senior officials notified of every unauthorized access or unauthorized acquisition of company or consumer information?  At what point are they notified?
12. Equifax provides credit monitoring services to companies whose customers have been affected by data breaches.  In this case, the very company whose data was breached is itself providing its own customers with credit monitoring services.  Equifax’s press release states that the company will provide affected consumers with credit monitoring services and identity theft protection “complimentary to U.S. consumers for one year.”^[xiv] 
    1. What analysis did the company do to determine that one year of complimentary credit monitoring services and identity theft protection—provided by Equifax itself—would be adequate to make consumers whole?  How does this service differ from the Equifax product known as Equifax ID Patrol and other services sold as part of Equifax’s regular business?
    2. How much money per year would an affected consumer who received this free service pay Equifax to extend the “complimentary” services beyond one year? 
    3. Has Equifax estimated how much money it would make per year if every one of the 143 million consumers affected by Equifax’s data breach signed up for Equifax’s credit monitoring service and identity theft protection?  In short, how much money would Equifax make after one year on credit monitoring services that would be unnecessary but for Equifax’s failure to safeguard consumer data?
13. To sign up for TrustedID Premier, Equifax’s credit monitoring service and identify theft protection offered to consumers in connection with this breach, a consumer must agree to the TrustedID Premier terms of use, which initially included an arbitration clause—language that New York Attorney General Eric Schneiderman called “unacceptable and unenforceable.”^[xv]  How did Equifax arrive at the decision to include an arbitration clause in its product’s terms of use?  After first attempting to clarify that “the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident,” Equifax ultimately removed the arbitration language from its TrustedID Premier terms of use.^[xvi]  However, the arbitration clause in Equifax’s general terms of use on its website remains.^[xvii]  Will Equifax attempt to enforce this or any other arbitration clause against consumers who choose to use the TrustedID Premier service or consumers affected by the data breach, including those affected consumers who had previously purchased or subscribed to an Equifax product?
14. What measures, other than offering credit monitoring services and identity theft protection, is Equifax taking to mitigate harm to consumers?
15. Will Equifax waive fees associated with consumers’ freezing their credit with Equifax?  Will Equifax pay for consumers affected by the breach to freeze their credit with the other credit bureaus?
16. Finally, at the request of members of the Energy and Commerce Committee, the Government Accountability Office is evaluating the effectiveness of credit monitoring and other services in protecting consumers after a data breach.^[xviii]  What analysis has Equifax done to determine whether its monitoring services and identity theft protection, both offered for free in the wake of this breach or sold as a regular product, are effective in preventing identity theft or otherwise protecting consumers after a data breach?

Your company profits from collecting highly sensitive personal information from American consumers—it should take seriously its responsibility to keep data safe and to inform consumers when its protections fail.  Your assistance in this matter is greatly appreciated, and we look forward to receiving a response by September 22, 2017.  Answers to these questions will also help us prepare for a Committee hearing on this issue that is planned for either later this month or in October.  If you have any questions, please contact the minority committee staff of the House Energy and Commerce Committee at (202) 225-3641.   

Sincerely,