Two House panels investigating the Equifax Inc. data breach are zeroing in on “technical and process” failures that led to the loss of personally identifiable information, including Social Security numbers, belonging to more than 145 million Americans, according to recently released documents.
In a letter dated November 20 to Paulino do Reggo Barros, interim CEO of Equifax, Trey Gowdy, R-S.C., chairman of the House Government Reform Committee, and Lamar Smith, R-Texas, chairman of the House Science, Space, and Technology Committee, requested that the Office of the CIO of Equifax turn over “documents sufficient” to identify the names and titles of all individuals working in the CIO’s office between March and the present date.
They also demanded “all organizational charts” or documents sufficient to reflect the roles and responsibilities of all employees in the office of the CIO during the same period.
The bipartisan letter was co-signed by Elijah Cummings, D-Md, ranking member of the House Oversight and Government Reform Committee, and Eddie Bernice Johnson, D-Texas, ranking member of Science Committee.
The letter also demanded that the CIO’s office provide any communications it has between any federal agency and Equifax and any Homeland Security Department “reports and recommendations” to Equifax concerning the data breach. It also asked for documents identifying any prior data breaches on its network from January 2014 to the time it discovered the latest data breach, reportedly on July 29. Equifax didn’t notify the public of the breach until September 7, more than five weeks later.
The panel chairmen also asked Equifax to provide the names and titles of staffers who worked in the Office of the Chief Security Officer (CSO), documents containing the roles and responsibilities of CSO employees, and any communications between former CSO Susan Mauldin relating to Apache Struts 2–the software that hackers exploited in the breach–that occurred between March and September 2017.
In September Equifax said that CIO David Webb, who joined the company in 2010, and CSO Mauldin, who had served as CSO since 2013, had both retired.
The letter also asked for the name and title of the individual who failed to forward a March 8 alert from U.S. Computer Emergency Readiness Team (US-CERT) to Equifax and many other companies about the need to patch a vulnerability in Apache Struts 2, an application that Equifax uses in its online disputes portal, a web site where customers can dispute items on their credit reports.
According to earlier testimony before the House Subcommittee on Digital Commerce and Consumer Protection by Richard Smith, former Equifax chief executive officer, the US-CERT notification was circulated “internally by email” on March 9, along with a request that IT personnel identify and patch the Apache Struts 2 vulnerability. But the IT team failed to patch the flaw due to a “communications breakdown.” Moreover, a scan by Equifax’s information security team of the company’s network failed to identify any systems that were vulnerable to the Apache Struts 2 flaw according to Smith.
In their letter, Gowdy and Smith requested the names and titles of any individuals on the distribution list for cyber-threat and other critical email alerts, “specifically those individuals” who received the March 9 internal distribution of US-CERT’s alert.
Other documents Gowdy and Lamar Smith requested in the letter included names and titles of individuals who formed the incident response team including contractors. The letter demanded that Equifax provide all the requested information by Dec. 6.