Days after a report emerged that the Consumer Financial Protection Bureau might be pulling back its probe into the Equifax data breach under acting head Mick Mulvaney, Sen. Elizabeth Warren (D-MA) is releasing a new report on the incident that left the personal information of more than 145 million Americans exposed.
In September 2017, the consumer credit reporting agency revealed that millions of its US users had had their personal information, including Social Security numbers, birthdates, and addresses, compromised from mid-May through July 2017. It took about six weeks for Equifax to publicly announcing the breach, during which time three executives sold nearly $2 million worth of the company’s shares.
Warren’s report paints a damning portrait of Equifax’s handling of the data breach before, during, and after the incident. It highlights a number of findings already uncovered in various reports on and inquiries into the Equifax data breach as well as a handful of new details.
Among the findings: The data breach included the passport numbers of an unidentified number of Equifax customers. The company failed to follow its own internal procedures during the data breach, and it hedged in its language around the hack, telling consumers data was “accessed” and not openly saying it was “exfiltrated” — stolen. And Equifax took advantage of a federal contracting loophole, the report alleges, to get a $7 million contract with the IRS after the breach was revealed. The contract was eventually reversed.
“For years, Equifax and other big credit reporting agencies have been able to get away with profiting off using people’s private info and doing so without their explicit permission,” Warren told me in a phone interview. “We need real consequences for when they screw up.”
Warren’s office announced she would launch an investigation into the data breach soon after it was revealed in September, sending off letters to the CFPB, the Federal Trade Commission, the credit bureaus Equifax, Transunion, and Experian, and the Government Accountability Office demanding answers.
“Equifax makes it clear that if they get the chance, they’re going to wiggle off the hook for having put more than half of all adult Americans at risk for fraud for years to come because of the data that were stolen,” she said.
An Equifax spokesperson said in an email that the company has previously reported consumer data was stolen, which includes access and exfiltration, and said the company found “no evidence” that passport numbers were stolen.
As a reminder, the Equifax breach was really bad
Equifax in September 2017 revealed that 143 million of its US users — or about half of the country’s population — had their personal information compromised in a data breach that spanned several weeks in the spring and summer. (Equifax later revised up its number of consumers affected to 145.5 million.) The company waited about six weeks between discovering the data breach in late July and publicly announcing it in early September.
When it announced the breach, Equifax offered affected customers free credit monitoring and identity protection services — as long as they agreed to a forced arbitration clause that barred them from joining forces with other wronged customers to sue the company. After public outcry, the company dropped the clause.
Equifax CEO Richard Smith stepped down in late September and in October testified before the Senate Banking Committee and faced questions about Equifax’s handling of consumer data and the breach, executive stock sales, and broader issues pertaining to credit bureaus that handle the personal information of millions of consumers.
The Equifax breach has presented myriad problems before, during, and after
Warren’s report paints a damning portrait of Equifax’s handling of the data breach before, during, and after the incident, drawing from a variety of sources.
It criticizes the company’s flawed security system to prevent and mitigate data security problems and notes that it was warned of the vulnerability in the web application software, named Apache Struts, that was used to breach the system but failed to ensure the system was properly patched and updated. It also points out that Equifax received a specific warning from the Department of Homeland Security about the specific vulnerability the hackers took advantage of — something Smith, the company’s former CEO, discussed in his Senate Banking Committee hearing in October.
Once Equifax did figure out what happened, it made a number of missteps as well. As mentioned, it attempted to force affected customers into signing arbitration clauses.
The report characterizes Equifax’s overall response to the breach as “sorely inadequate,” noting that customers faced long waits to Equifax call centers and on the Equifax breach site were asked to input the last six digits of their Social Security numbers — the exact information that was compromised.
It holds that Equifax used the breach as a moneymaking opportunity by initially charting customers to freeze their credit (after backlash, it reversed the practice). LifeLock, an identity theft protection tool, saw a tenfold increase in sign-ups after the Equifax data breach was revealed. During the October Senate Banking Committee hearing, Smith in a back-and-forth with Warren acknowledged LifeLock uses Equifax to monitor its customers’ credit and pays Equifax on a per-customer basis.
The Equifax spokesperson said the company is not currently marketing any products directly to consumers and pointed out that credit freeze fees are waived until the end of June. The spokesperson also pointed to a new app it launched that is supposed to provide free credit report locking. Both the New York Times and Ars Technica reported problems with the app’s functionality after its launch.
Equifax has been awarded hundreds of federal contracts worth millions of dollars over the past decade, including one especially eyebrow-raising one after the breach was revealed in September of last year. The IRS awarded Equifax a $7.2 million no-bid contract to verify taxpayer identities, Politico first reported, but later suspended the contract after public backlash.
Warren’s report alleges that Equifax used loopholes in federal procurements laws to get an extension on the contract that was first awarded in 2015. There is no indication that any IRS data was exposed in the breach, but because of Equifax-caused delays — namely, its protests over losing the contract in the summer, and its delay in reporting the breach in the first place — “the IRS was forced to give Equifax an expensive bridge contract, and belatedly discovered … that Equifax was not able to effectively protect taxpayer data to IRS standards,” the report says.
There are plenty of possible consequences for Equifax, but it’s not clear what, if anything, will stick
Equifax confirmed in a November regulatory filing with the Securities and Exchange Commission that more than 240 class-action suits have already been filed against it. It is cooperating with multiple investigations and probes, including by all 50 state attorneys general, the FTC, the SEC, the Financial Industry Regulatory Authority (FINRA), and various congressional committees, among others. It also said it is cooperating with a CFPB investigation, though according to a Reuters report this week, Mulvaney, the bureau’s acting director, has pulled back its probe.
“We’re unveiling this report while Mick Mulvaney is killing the consumer agency’s probe into the Equifax breach. Mick Mulvaney shoots another middle finger at consumers,” Warren said.
John Czwartacki, a senior adviser to Mulvaney, said in an emailed statement that Mulvaney “takes data security issues very seriously” and is working with partners across government on the data breach. “As a policy, we do not confirm or deny enforcement or supervisory matters,” he said, pointing out that Equifax had “gone on the record” about a CFPB probe in its SEC regulatory filing. The bureau has said it is “looking into” the Equifax matter and that “reports to the contrary” are incorrect.
Warren has proposed legislation related to the Equifax breach. In January, she and Sen. Mark Warner (D-VA) introduced legislation meant to hold credit reporting agencies accountable that would give the FTC more direct supervisory authority over them and impose mandatory penalties for when they expose consumers’ data. Under the legislation, Warren and Warner estimate Equifax would have paid at least $1.5 billion in the 2017 data breach.
In September 2017, Warren and Sen. Brian Schatz (D-HI) put forth a bill that would force Equifax and its competitors to give free credit freezing and unfreezing services and provide customers with better fraud alert protections.
“Equifax may end up making money off of this deal, and that means their incentives are not aligned properly to ensure that they take care of the data they have,” Warren said.
Beyond Warren’s report, Sen. Tammy Baldwin (D-WI) this week has also focused her attention on Equifax. She wrote a letter to Federal Reserve Inspector General Mark Bialek calling for an investigation into the CFPB. Last year, she called for Equifax to send a letter to every consumer impacted by the company’s failures informing them about what happened.
Senate Minority Leader Chuck Schumer criticized Mulvaney over the Reuters Equifax report, saying he should “be bringing the hammer down” on the company “instead of handing out get out of jail free cards.”
RT if you agree the Trump admin’s hand-picked saboteur, Mick Mulvaney, should be bringing the hammer down on #Equifax instead of handing out get out of jail free cards and massive tax breaks to major corporations. https://t.co/AKpM4wlvdG— Chuck Schumer (@SenSchumer) February 5, 2018
The Equifax spokesperson said the company is committed to rebuilding trust with consumers and strengthening security, again touting its new app. “It will be a long journey, as regaining confidence is not something that can be done overnight, and cybersecurity is an immensely complex challenge that needs to be faced as an industry,” the spokesperson said. “We have committed to working with a number of different groups to explore ideas to better protect consumers from cybersecurity threats, and are currently collaborating with regulators, legislators, and government agencies.”
Warren says that’s not good enough. “There are two problems: both what Equifax did wrong and how they failed to disclose it once the breach had occurred,” she said. “That tells me this is not a company that is working hard to regain the trust of the American people. It tells me that this is a company that still is trying to maximize its return for its shareholders and ignore consumers.”
Read the full report
The full report is available here.