Equifax yet to answer important questions about hack
Lack of answers about breach at credit agency raises experts’ concerns
As pressure builds on Equifax to explain how criminals hacked into a massive trove of data on 143 million Americans, the list of unanswered questions is long. But most boil down to three big ones:
No. 1: What measures did Equifax take to protect personal information?
No. 2: What measures should Equifax have taken to protect personal information?
No. 3: What’s the gap between the answers to Questions 1 and 2?
The credit-rating agency has been so stinting about information on its hack — even after keeping the episode secret from the public for six unexplained weeks after detecting the intrusion — that there’s no way yet to evaluate 1, 2 or especially 3 yet.
But notably absent from the public statements by Equifax have been key terms such as “encryption” or “system monitoring” or “penetration testing.” All are staples of modern online security widely adopted across corporate America and especially within the financial services industry, given the high degree of sensitivity about the information it keeps on us all.
Equifax has not responded to repeated Washington Post requests about the nature of its security measures and whether any of its data was kept in encrypted form. The scant information that has trickled out has outside security experts concerned about the scale of the hack and the sensitivity of the data exposed, including Social Security numbers, birth dates, home addresses, driver’s license information — a virtual starter kit for identity theft.
A breach of “143 million records either suggests a very patient, sophisticated hacker or an incredibly weak security system,” said Matthew Green, a Johns Hopkins University cryptographer and security expert.
The uncommonly stern and detailed letter sent Monday by Sens. Orrin G. Hatch (R-Utah) and Ron Wyden (D-Ore.) — the chairman of the Senate Finance Committee and its ranking Democrat — drove at exactly those issues, warning about the hack’s potential to create massive costs to consumers targeted by identity thieves and “irreparable harm” to government programs that might be inundated with fraudulent requests for refunds or benefits.
“Encrypting this data is obviously an essential first step, but it’s not a silver bullet,” Wyden said in a statement to The Post. “Companies that hold Americans’ most sensitive personal data have to make security the top priority at every single stage. That means having the staff and resources to protect our personal information, and regularly conducting security audits, patching software and quickly fixing flaws discovered by outside experts.”
The White House appears to be on a similar track. President Trump’s homeland security and counterterrorism adviser, Thomas Bossert, summoned the chief executives of nation’s two other leading credit agencies, Experian and TransUnion, on Monday to discuss whether their systems are hardened against an attack similar to the one that struck Equifax, according to people familiar with the meeting who spoke on the condition of anonymity to discuss the private talks. (Neither company replied to requests for comment from The Post on Tuesday.)
There also are committee hearings and investigations brewing on Capitol Hill, as well as several class-action suits filed on behalf of the hack’s victims. Taken together, the political and legal action related to this breach has clouded the future of Equifax, an Atlantabased company that collects and analyzes the data of 820 million consumers and 91 million businesses in 24 countries.
The company has seen its stock fall about 20 percent since announcing the breach on Thursday. It discovered the intrusion, which the company believes started in May, on July 29 — a delay that also has upset some lawmakers who have long pushed for more prompt and fulsome reporting about hacks.
“These are very complicated issues, and we expect to be engaging with regulators and legislators in the future,” Equifax said in a statement provided Tuesday. “Senators Hatch and Wyden raise many topics in their letter on behalf of the U.S. Senate Finance Committee, and we plan to be responsive in helping them to gather the information the Committee needs about this situation.”
The massive breach by the Chinese government of the Office of Personnel Management databases should have served as a wakeup call about the security risks of sensitive personal information, said Anthony J. Ferrante, head of cybersecurity and senior managing director for FTI Consulting and a former White House cybersecurity official in the Obama and Trump administrations.
“The OPM breach should have taught us a very valuable lesson — that if entities are going to store this type of sensitive personal data, they have to take the necessary steps to protect it,” Ferrante said.