Two key U.S. senators Monday sought detailed information from Equifax about the cyberbreach that potentially compromised the personal information of 143 million U.S. consumers.
Sen. Orrin Hatch, R-Utah, who chairs the Senate Committee on Finance, and Sen.Ron Wyden, D-Oregon, the panel's ranking minority member, asked the credit-reporting giant for a timeline of the breach, along with details of Equifax's efforts to quantify the scope of the intrusion and limit consumer harm.
They also asked whether records related to the IRS, the Social Security Administration and the Centers for Medicare & Medicaid Services were compromised, and questioned Equifax about its cybersecurity protections and testing procedures.
"If the names, Social Security numbers, birth dates, and other information of 143 million Americans are now in the hands of cybercriminals, this breach will cause irreparable harm to programs within this Committee's jurisdiction by way of stolen identity refund fraud, healthcare fraud, and entitlement fraud," Hatch and Wyden wrote in a copy of the letter that was obtained by USA TODAY.
Stating that the information would be used to shape how the Senate committee "might respond to mitigate the damage," the letter requested an electronic response from Equifax by Sept. 28.
Equifax, one of the nation's three-largest credit-reporting companies, said: "Senators Hatch and Wyden raise many topics in their letter on behalf of the U.S. Senate Finance Committee, and we plan to be responsive in helping them to gather the information the Committee needs about this situation."
Equifax publicly disclosed the breach on Thursday, weeks after what the company said was its July 29 discovery of the intrusion and hiring of an independent cybersecurity firm to conduct an assessment and help strengthen electronic safeguards against any new attack.
As yet unidentified criminal hackers carried out the cyberattack from mid-May through July 2017, Equifax said. The breach primarily involved consumers' names, Social Security numbers, birth dates, addresses, and in some cases, driver's license numbers, the company said last week.
The information sought from Equifax by the senators included:
- A "detailed timeline of the breach," from its onset and discovery through the investigation of its scope and source. The letter also asked when the breach was made known to three senior executives who sold shares of the company's stock after Equifax detected the intrusion.
- Whether other consumer information was or may have been accessed by hackers.
- Whether Equifax, which offered a year's worth of free access to the company's identity protection service, plans to promote that paid service to consumers at the end of the free year?
- Does Equifax employ a chief information security officer, and how many full-time employees focus on information security?
- How many times in the last 24 months has Equifax used third-party cybersecurity experts to conduct penetration tests of the company's internal and external systems?
- Did the cyberbreach compromise the Equifax-maintained Work Number database, the nation's largest central repository of employer-related human resources and payroll information?
- What did the company do to tighten electronic security after a smaller breach earlier this year?
Additionally, the senators questioned Equifax about a contract clause that initially required consumers who register for the free year of credit monitoring and identity theft protection to waive the right to pursue class-action lawsuits for any damages and instead resolve disputes through arbitration.
Equifax subsequently revised that requirement. However, Hatch and Wyden asked whether consumers could opt out from the waiver when they register for the free monitoring online.
Separately, a group of 20 Democratic senators on Monday urged Equifax to end all use of forced arbitration agreements.
"Forced arbitration provisions in consumer contracts erode Americans' ability to seek justice in the courts by forcing them into a privatized system that is inherently rigged ... and which offers virtually no way to challenge a biased outcome," wrote the lawmakers, led by Sen. Catherine Cortez Masto, D-Nev. and Sen. Al Franken, D-Minn.
Follow USA TODAY reporter Kevin McCoy on Twitter: @kmccoynyc