UPDATED: This story has been updated with comment from Equifax.
The two leaders of the Senate Finance Committee sent a letter Monday to Equifax Chairman and CEO Rick Smith demanding information about the mammoth breach that compromised the personal information of 143 million U.S. consumers.
The letter from U.S. Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Ore., seeks information about Equifax’s digital security infrastructure and further details about the personal information that was lost, and whether any government data also was exposed by criminal hackers. The senators also request a detailed timeline of events about when the company learned of the breach and the company’s response.
“The use of stolen [personal information] results in tens of billions of dollars of fraud against the U.S. Treasury each year in the form of stolen identity, fraudulent tax refunds, Medicare and Medicaid fraud, in addition to other crimes,” the letter states. “Furthermore, the use of stolen [personal information] affects tens of millions of Americans each year through consumer fraud and identity theft.”
Equifax has said the hacking happened from mid-May to July and wasn’t discovered until July 29.
Equifax has given few details about how the data was accessed and whether it was their own operations that were breached or those of an outside vendor. The company said only that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
The letter, first reported by Reuters, underscores the seriousness of the breach that’s rocked the Atlanta-based Fortune 500 company, which plays a crucial role in the American financial system. Equifax, which traces its roots to the 1890s, helps banks decide whether to lend people money for homes and cars and whether to issue credit cards.
Equifax and fellow credit bureaus Experian and TransUnion also weigh in when you’re seeking a job, rental housing or insurance, helping companies verify whether you are who you say you are.
Committee Chairman Hatch and Ranking Member Wyden ask for a response to the letter by Sept. 28.
“These are very complicated issues, and we expect to be engaging with regulators and legislators in the future,” Equifax said in a statement. “Senators Hatch and Wyden raise many topics in their letter on behalf of the U.S. Senate Finance Committee, and we plan to be responsive in helping them to gather the information the Committee needs about this situation.”
The statement included a link where the company is providing updates to consumers, https://www.equifaxsecurity2017.com/.
Beyond the letter from Hatch and Wyden, the House Financial Services Committee has called for hearings, and the company is now the subject of a number of class action lawsuits.
The company counts among its customers the federal government; a fact noted in the letter.
“To make matters worse, Equifax is a critical partner of the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies that are the sources and recipients of the some of the most sensitive information affecting individuals, as well as the targets of the vast majority of identity theft fraud against taxpayers,” the letter said.
The senators demand answers to about a dozen and a half questions about Equifax’s business, when it learned of the breach and about sales of stock by three Equifax executives days after the company learned of the breach but before the cyber theft had been made public. Equifax has said the executives were not aware of the breach when they sold their shares.
The first question seeks a timeline of the breach, including “when it began, its discovery, the investigation of its scope and source, notification of authorities, efforts to notify customers and consumers, notification to the Equifax board of directors, and notification of Equifax senior executives — including, but not limited to, John Gamble Jr., Rodolfo Ploder, and Joseph Loughran.”
Gamble, Ploder and Loughran are the three executives who sold stock in the days after the July 29 discovery of the breach.