Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, September 10, 2018

Warren, Cummings release GAO report on Equifax breach

By Nicole D. Prysby, J.D.

On September 7, Sen. Elizabeth Warren (D-Mass) and Rep. Elijah E. Cummings (D-Md) released a Government Accountability Office report detailing failures by Equifax in the 2017 cyber breach that exposed personal data of more than 145 million Americans. In the announcement, the legislators state that the report demonstrates that Equifax and other credit reporting agencies continue to profit from failing to protect personal information and that so far, the administration has taken no enforcement action against the company. Warren also stated that the breach shows the need for legislation to protect consumers and that her proposed Data Breach Prevention and Compensation Act would have required Equifax to pay $1.5 billion in penalties for the breach.

As previously reported (see Banking and Finance Law Daily, Sept. 8, 2017), criminals exploited an Equifax website application vulnerability to gain access to consumer information in 2017. The information accessed included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. According to the GAO report, the breach was accomplished using a specific vulnerability that the United States Computer Emergency Readiness Team had publicly identified two days before the intrusion began. The attack continued for over two months before it was discovered.

Report. The GAO report, Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach (GAO-18-559), focuses on steps taken by Equifax following the breach and actions taken by federal agencies in response to the breach. After learning of the attack, Equifax blocked the access and investigated the factors that allowed the breach. The company concluded that it did not properly identify the vulnerability in the network and did not circulate the need for a patch to the responsible individuals. An expired digital certificate contributed to the attackers’ ability to communicate with compromised servers and steal data without detection. The failure to segment databases allowed the attackers to gain access to additional databases and remove large amounts of information. The attackers were able to query databases because they gained access to a database that contained unencrypted usernames and passwords for accessing additional databases.

Identity verification services. Following the announcement of the breach, the Internal Revenue Service, Social Security Administration, and U.S. Postal Service—three of the major federal customer agencies that use Equifax’s identity verification services—conducted assessments of the company’s security controls. These assessments identified a number of lower-level technical concerns that Equifax was directed to address. The IRS, SSA, and USPS also made adjustments to their contracts with Equifax, such as modifying notification requirements for future data breaches. In the case of IRS, one of its contracts with Equifax was terminated.

Investigation. In addition, the Consumer Financial Protection Bureau and Federal Trade Commission initiated an investigation into the breach and Equifax’s response in September 2017, but have not concluded their investigation. Warren and Cummings sent a letter to the CFPB and FTC seeking information on whether they plan to hold Equifax accountable for the data breach. The letter points out that Equifax had advance notice of its security vulnerabilities and its executives failed to make the breach public for more than a month after they discovered the intrusion. In the six months after the data breach, the CFPB received more than 20,000 complaints about Equifax, but to date there has been no action to hold the company accountable.

Companies: Equifax

MainStory: TopStory CFPB ConsumerCredit CyberPrivacyFeed IdentityTheft OversightInvestigations Privacy

Back to Top

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.