September 07, 2018

Warren and Cummings Release New GAO Report on Major Failures by Equifax in Massive Cyber Breach

Members Question CFPB, FTC on Lax Enforcement Efforts One Year Later, American Public Still Waiting for Equifax to be Held Accountable; Under Warren-Warner Bill Equifax Would Have Had to Pay $1.5 Billion in Fines for Latest Breach

 Read the GAO report here (PDF)

 Read the letter to CFPB and FTC here (PDF)

Washington, DC-Today, on the one-year anniversary of the public learning about the Equifax breach, United States Senator Elizabeth Warren (D-Mass.) and Rep. Elijah E. Cummings (D-Md.), the Ranking Member of the House Committee on Oversight and Government Reform, released a Government Accountability Office (GAO) report they requested detailing how attackers exploited significant vulnerabilities at the company to gain access to the sensitive personal information of more than 145 million Americans. 

"This new GAO report describes in painful detail how Equifax failed to protect the personal information of over 145 million Americans," said Senator Warren. "One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information - and the Trump Administration and Republican-controlled Congress have done nothing. We must pass my Data Breach Prevention and Compensation Act to stop these kinds of breaches from happening again."

"Today's report highlights the breakdowns and failures at Equifax that led to one of the largest and most consequential data breaches in United States history.  Now that we know even more about what led to the Equifax breach, it is critical that we develop serious and concrete proposals to help the American people-who repeatedly suffer the consequences of these devastating cyberattacks-and address the failures of those entrusted with securing their personal information," said Ranking Member Cummings

The GAO report confirms both Senator Warren's findings from her investigation and Ranking Member Cummings' findings from his investigation about how Equifax failed to protect Americans' personal data.

According to GAO, "Equifax determined that several major factors had facilitated the attackers' ability to successfully gain access to its network and extract information from databases containing PII," and that "key factors that led to the breach were in the areas of identification, detection, segmentation, and data governance."

The GAO report also underscores the lack of action by the Trump Administration to address Equifax's failures. The report confirms that the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) are the key federal regulators responsible for oversight of Credit Ratings Agencies, and both agencies have acknowledged opening investigations after Equifax revealed the breach. But to date, neither investigation has resulted in any enforcement actions against Equifax. Senator Warren and Ranking Member Cummings sent a letter to both agencies seeking information on whether they intend to hold Equifax accountable.

Finally, GAO's report highlights the critical need for legislation to protect consumers whose data is not adequately safeguarded like Senator Warren's and Senator Mark Warner's (D-Va.) bill to hold credit reporting agencies like Equifax liable for data breaches. Under this legislation, Equifax would have paid at least $1.5 billion in penalties for the latest data breach.

Since the Equifax breach, Senator Warren and Ranking Member Cummings have taken active measures:

  • Senator Warren unveiled the first comprehensive review of consumer complaints in the wake of the 2017 Equifax breach - finding that in the six months following the breach, the CFPB received more than 20,000 complaints from consumers about the impact of the breach, problems with Equifax's response, or other issues with the company.
  • Ranking Member Cummings led all Democrats on the Oversight Committee in requesting that Equifax extend from one year to a minimum of three years the credit protection services the company is currently offering victims of the data breach.
  • Senator Warren released a new 15-page report containing the findings of a four-month long investigation into how Equifax failed to protect the personal data of more than 145 million Americans.
  • Ranking Member Cummings joined with Ranking Member Eddie Bernice Johnson on the House Committee on Science, along with nearly three dozen House Democrats, calling on their respective Chairmen to convene bipartisan hearings to examine the breach.
  • Senator Warren raised concerns with Senator Ben Sasse (R-Neb.) about a $7.2 million IRS contract awarded to Equifax despite the company's recent massive breach.
  • Senator Warren expanded her investigation into the Equifax breach to include information requests to the SEC, Equifax Board of Directors, and Department of Homeland Security.
  • Ranking Member Cummings pressed Oversight Committee Chairman Trey Gowdy to obtain documents from the U.S. Computer Emergency Readiness Team (US-CERT).
  • Senator Warren urged the EEOC chair nominee to prevent employers from discriminating based on credit histories following the Equifax hack.
  • Senator Warren also introduced legislation with Senator Brian Schatz (D-Hawaii) to give control of credit information back to consumers.