After the credit monitoring company Equifax announced that it had detected a data breach affecting potentially 143 million U.S. consumers, Rep. Ted Lieu, D-Calif., is calling for a House Judiciary Committee hearing to investigate the breach.
“According to reports, hackers penetrated a Web-based application for Equifax and subsequently obtained credit card numbers for 209,000 consumers and credit dispute documents for 182,000 users,” Lieu wrote in a letter to the committee chairman and ranking member. “It appears that Social Security numbers, birthdates, and home addresses may have been compromised as well.
“In light of recent events, I request the Committee call upon representatives from the ‘Big Three’ credit reporting agencies–Experian, TransUnion, and Equifax–to testify not only on the breach that occurred in May 2017, but also to identify how each company is taking proactive, defensive steps to prevent such breaches in the future.”
According to the Equifax announcement, the information involved includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.
“On the technical side, it is critical that we learn what application was exploited, and what vulnerability was leveraged, so that other companies can take defensive action,” said Kenneth Geers, senior research scientist at Comodo, NATO Cyber Centre ambassador, and former NSA/NCIS analyst. “It is alarming that, despite past cybersecurity compromises, Equifax today apparently has no chief information security officer (CISO) to talk to.”
A class-action lawsuit has already been filed on behalf of consumers Mary McHill and Brook Reinhard against the company for allegedly not taking enough steps to ensure the security of consumer data.
“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard’s information from unauthorized access by hackers,” wrote Oregon attorney Michael Fuller in the allegation complaint. “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”
Equifax discovered the breach on July 29, and announced it to the public Sept. 7. Lieu noted in his letter that it was “disturbing” that Equifax took six weeks to inform users that their data had been breached.
The company also faces suspicion over filings with the Securities and Exchange Commission that revealed that three executives sold shares shortly after the breach was discovered.
“The sheer size of this breach, which spans at least the U.S., Canada, and Great Britain, may have frightened some Equifax officials into selling a portion of their company shares,” said Geers.
“Congress has a strong role to play in preventing such attacks on our financial and IT infrastructure, and must hold those entrusted with our most sensitive data to account,” Lieu wrote.
The company has set up a website for consumers to figure out if their information has been compromised and sign up for credit monitoring.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Equifax Chairman and CEO Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
“Cybercriminals would like to have enough information about you that they can in effect become you, and Equifax possesses that quantity and quality of data,” said Geers. “Even if you are not a customer, Equifax likely has a lot of data about you, and you should take proactive steps in response to this hack.”
Contributing: Morgan Lynch