June 14, 2019

Senators Warren, Wyden, and Chairman Cummings Release Watchdog Report Finding 2017 Equifax Breach Increased Risk of Fraud Against Citizens Using Government Services

GAO Report Finds that VA, CMS, Social Security, USPS Use Outdated Methods to Protect Privacy

Agencies Failed to Make Changes after Equifax Breach; Letters to Agency Heads Demand Quick Action to Protect Citizens From Fraud 

Warren and Cummings' Legislation Would Increase Penalties for Companies that Allow Data Breaches

Full Report (PDF) | Letters to Agencies (PDF)

Washington, DC - United States Senators Elizabeth Warren (D-Mass.), member of the Senate Banking Committee, Ron Wyden (D-Ore.), Ranking Member of the Senate Finance Committee, and Chairman of the House Committee on Oversight and Reform Elijah Cummings (D-Md.) released a new Government Accountability Office (GAO) report identifying significant gaps in the federal government's treatment of citizens' personally identifiable information, and revealing that "data stolen in recent breaches, such as the 2017 Equifax breach, could be used fraudulently" by individuals seeking to commit identity fraud against citizens that use the online services provided by key federal government agencies.

Specifically, the report, Data Protection: Federal Agencies Need to Strengthen Online Identity Verification Processes, found that the Department of Veterans Affairs (VA), the Centers for Medicare and Medicaid Services (CMS), the Social Security Administration (SSA), and the U.S. Postal Service (USPS) continue to rely on an outdated identity verification method known as "knowledge-based verification." The process relies on questions generated by credit ratings agencies like Equifax, and typically asks individuals looking to access their online portals "questions derived from information found in their credit files, with the assumption that only the true owner of the identity would know the answers."

The GAO reviewed six agencies' identity-proofing practices, and found that the Internal Revenue Service and General Services Administration had improved their practices and no longer used knowledge-based verification.  But the VA, SSA, CMS, and USPS all continue to do so, and GAO reported that "until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identify fraud."

The GAO made three recommendations: (1) that CMS, USPS, VA, and SSA improve their identity proofing practices; (2) that the National Institute of Standards and Technology improve its guidance to agencies; and (3) that the Office of Management and Budget issue guidance requiring agencies to report on their progress in adopting improved identity-proofing methods.

In a series of letters, Senators Warren, Wyden, and Chairman Cummings wrote to the heads of these agencies asking them a set of questions about why they had not yet made necessary improvements and when and how they intend to do so.

"It is troubling that almost two years after the massive 2017 Equifax data breach federal government agencies continue to use outdated identity-proofing methods that put citizens at increased risk of identity theft.  We need to do more to prevent these kinds of breaches, and the government needs to be better and smarter about protecting citizens," concluded the lawmakers.

Since the Equifax breach, Senator Warren has taken active oversight measures to address problems at credit reporting agencies, improve federal oversight of credit reporting agencies (CRAs), and to better protect consumers:

  • In May 2019, Senator Warren and Chairman Cummings reintroduced the bicameral Data Breach Prevention and Compensation Act with Senator Mark Warner (D-Va.) and Raja Krishnamoorthi (D-Ill.) to hold large CRAs accountable for data breaches involving consumer data.
  • In early 2018, Senator Warren unveiled a 15-page report containing the findings of a four-month long investigation into how Equifax failed to protect the personal data of more than 145 million Americans and released the first comprehensive review of consumer complaints in the wake of the breach, revealing that the CFPB received more than 20,000 consumer complaints following the Equifax breach.
  • She and Chairman Cummings released two additional GAO reports, prepared at their request, detailing how attackers exploited significant vulnerabilities at Equifax to gain access to the sensitive personal information of more than 145 million Americans and recommending stronger consumer protection efforts to prevent another Equifax disaster. GAO recommendations were incorporated into the lawmakers' 2019 bill.