House Committees Get Serious in New Letter to Equifax

The chairpersons of the House Science, Space, and Technology Committee and the House Oversight and Government Reform Committee on Monday sent a new letter (PDF) to Paulino Barros, the interim CEO of Equifax.

The former committee's jurisdiction includes the standards of use for securing personally identifiable information (PII), while the latter committee's jurisdiction covers how data breaches impact the federal workforce and national security. Both are investigating the loss of PII on 145 million Americans announced by Equifax on September 7, 2017.

This is not the first letter to Equifax by chairpersons Lamar Smith (R-Texas) and Trey Gowdy (R-S.C.). They also wrote (PDF) on September 14, 2017 requesting 'all documents' relevant to five specific areas; such as "to and from members of Equifax's corporate leadership", and "relating to the NIST Framework or other cybersecurity standards used by Equifax." That first letter specified no later than September 28, 2017. 

It would seem that Equifax has not yet, or at least not yet satisfactorily, fulfilled this first request almost eight weeks after the deadline. "We look forward to Equifax providing all documents in response to the five categories of requested materials in the September 14 request, as well as the requests that were made at subsequent Committee briefings." It adds that the Committees expect to make additional requests in the future.

In the meantime, however, it is clear the committees are beginning to get to grips with the details of both Equifax and the breach. While the first letter requested 'areas' of documents, the second letter is far more specific. For example, it asks for documentation that would allow the identification "of any and all individuals in an executive leadership role", and those who received the DHS email alert "regarding Apache Struts 2".

It then asks for organizational charts and documents able to identify staff under the CIO during a specific period, together with breach communications with any federal agency generally, and the DHS specifically. It seeks similar charts and documents to identify staff under the CSO during the breach period, and specifically, "Any communications between former CSO Susan Mauldin and any individuals that relate to Apache Struts 2 that were made from March 8, 2017 to September 30, 2017."

Further requests make it clear that the Committees aren't looking for how the breach occurred (it was the failure to patch the Struts 2 vulnerability), but to find out exactly what happened and who was responsible for each step of the Equifax response.

For example, on July 29, 2017, Equifax was aware that hackers had been accessing the PII of as many as 143 million American consumers (later amended to more than 145 million) over the prior two months. In a press statement also released Monday, the Science, Space, and Technology committee says, "Equifax reportedly first learned on July 29, 2017, hackers had... On September 7, 2017 - nearly six weeks later - Equifax notified the public of the breach."

The delay is clearly a concern -- and this is born out in the latest letter to Equifax. The committees have now specifically asked for, "The name and title of the individual who contacted the Federal Bureau of Investigation (FBI) on August 2, 2017", and "The names and titles of all individuals who were party to the conversation with the FBI during which the FBI told Equifax to refrain from discussing attribution".

It is noticeable that the letter does not indicate that the FBI said the breach should not be disclosed, only that attribution should not be discussed. On the basis of this letter and its requests, it would be a reasonable assumption that the House is concerned about the delay in public disclosure, and is determined to find out how and by whom it was delayed.

It is also worth noting that in one respect at least, Equifax has been very lucky. If this breach had happened in 2018 rather than 2017, it would have been within the remit of the EU's General Data Protection Regulation (GDPR). Equifax would have been in breach of GDPR in at least two major ways. Firstly, it had no legal right to hold the European PII that was stolen (it is currently thought that more than 690,000 UK consumers had PII taken); Equifax apparently forgot about the records. And secondly, because of the nature of the data stolen, Equifax would have been required to notify the affected people within 72 hours (not the nearly six weeks it actually took).

Add to this the slack attitude to patching the vulnerable Apache Struts 2 vulnerability, and it is likely that any European GDPR regulator would feel obliged to levy a sizable proportion of its maximum fine of up to 4%  of Equifax's annual turnover.

Original author: Kevin Townsend