February 09, 2018

Warren Calls on Equifax to Clarify Conflicting, Confusing, and Incomplete Information Provided to Congress and the Public on 2017 Data Breach

WSJ Report Confirms that Equifax Failed to Disclose the Full Extent of Massive Data Breach; New Allegations Come Two Days After Warren Release of Equifax Investigation

Text of the letter available here (PDF)

Washington, DC - United States Senator Elizabeth Warren (D-Mass.) today sent a letter to Equifax CEO Paulino do Rego Barros Jr. on the conflicting, confusing, and incomplete information provided by the company to Congress regarding the extent of the massive 2017 data breach that compromised the personal identifying information (PII) of over 145 million Americans. A new report today by the Wall Street Journal confirms that Equifax failed to fully disclose the extent of the breach, and raises additional questions about the breach, about Equifax's response, and about the completeness and veracity of information provided to Congress and the American public.

According to the Wall Street Journal, hackers accessed "data such as tax identification numbers, email addresses, and drivers' license information beyond the license numbers (Equifax) originally disclosed." In testimony before Congress, and in documents provided to Congress and released to the public in 2017, Equifax failed to disclose any of this additional information. The fact that this additional information was potentially hacked was provided to the Senate Banking Committee in early 2018 - but was not released to the public. Unveiled earlier this week, Senator Warren's nearly five-month long investigation also contained new information indicating that the breach may have been even more extensive than disclosed by Equifax.

In questions for the record to Equifax following the Banking Committee's October 4, 2017 hearing, Senator Warren asked a simple question: "What was the precise extent of the breach?" Equifax responded as follows (emphasis added):

As part of the incident, the attackers were able to access records across numerous tables with inconsistent schemas.  The forensic investigation was able to standardize columns containing various types of sensitive information (listed below). These represent the data fields across attacker-accessed tables that were identified as potentially containing PII.  The list of data elements is not exhaustive of all possible data elements in a given table, but instead represents the common PII data elements in the attacker queries.

Among the types of PII Equifax listed in these "attacker-accessed tables" were Tax ID numbers, e-mail addresses, and passport number. The Wall Street Journal report confirmed that the hackers did access almost of these data elements - all of which were reported to the Senate Banking Committee. Except now Equifax is claiming that passport numbers were not compromised - despite telling the Banking Committee that they were part of the attacker-accessed tables.

"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" wrote Senator Warren. The senator pressed Equifax to provide in-depth answers to the extent of the breach by no later than one week from today.