Senators Demand Answers From Equifax About Security and Suspicious Trades
But serious questions remain: Could the breach have been easily averted? Was this "cybersecurity incident" truly an advanced assault, meticulously planned and executed in such a way that Equifax could not be reasonably expected to stop it? Or is this simply yet another case of gross corporate negligence-a failure for which the American public will inevitably suffer?
bipartisan letter signed Monday
by leaders of the
The letter, co-signed by the committee's Republican chairman, Sen.
The senators continue: "To make matters worse, Equifax is a critical partner of the Internet Revenue Service, Centers for Medicare & Medicaid, the Social Security Administration and other federal agencies that are the sources and recipients of... some of the most sensitive information affecting individuals, as well as the targets of the vast majority of identity theft fraud against taxpayers."
Among a myriad of particulars surrounding the incident, the committee has requested of Equifax a detailed timeline of the breach itself-including, most conspicuously, information about when its board of directors were first notified. Sen. Wyden's office is hoping, Gizmodo has learned, that those details will shed light on what specifically Equifax's executives knew amid suspicious financial activity at the company early last month.
Three Equifax executives sold roughly $1.8 million worth of company shares in August, just days after the company says the breach was discovered. A company spokesperson says the executives "had no knowledge" of the breach when the sales took place. But analysts have now characterized as "unusual" a significant uptick in Equifax options traded in the period between when the breach was discovered and when the company notified the public 41 days later.
What's more, the committee has asked Equifax's CEO to account for what caused the so-called "website application vulnerability" that the company claims was exploited by "criminals" to achieve the "intrusion." The questions seem crafted to uncover whether Equifax itself should share in the blame.
"At the time of the breach first occurred, were all of Equifax's Internet-facing applications' security dates installed? Or were these exploited due to an unknown flaw?" the letter asks. Moreover, the committee wants to know what procedures Equifax had in place, if any, to "receive and act on vulnerability reports from outside parties including security researchers?"
Equifax is asked as well to offer a more exhaustive description of the data potentially stolen and the steps it's taken to identify and limit potential harm to consumers. The committee is also concerned about whether records from any of the aforementioned federal agencies that partner with Equifax may have been compromised as well.
"Equifax maintains The Work Number database, which is the largest central repository of employer-related human resource and payroll information in the U.S.," the letter says. "The database contains millions of employee records, including those of the majority of federal government employees and 75% of Fortune 500 companies. Was this information compromised?"
Equifax's CEO, whom the senators thanked in advance for his cooperation, is asked to submit the company's responses "no later than Thursday, September 28, 2017."
Read a full copy of the committee's letter below.