Update: After this story published, Equifax provided a statement, which is included below.
Key lawmakers on Monday demanded a detailed accounting of the security systems of Equifax, a leading credit-rating agency, following a hack that gave criminals access to sensitive information of up to 143 million American consumers in one of the most troubling corporate computer breaches ever disclosed.
A sternly worded letter from the top Republican and Democrat on the Senate Finance Committee included a list of 13 questions intended to illuminate the murky circumstances surrounding the breach, including what data was exposed, how the hack was detected and whether the company has systems adequate for detecting and thwarting such intrusions.
“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” said the letter, signed by Sens. Orrin G. Hatch (R-Utah), chairman of the Finance Committee, and Ron Wyden (Ore.), its ranking Democrat.
It also called Equifax a “critical partner” with the federal government in the administration of the IRS, Social Security, Medicare and Medicaid, raising the prospect of “irreparable harm” to such programs by helping criminals use false identities to seek government benefits and tax refunds.
Monday’s letter reflected rising bipartisan concern in Washington as Equifax, an Atlanta-based credit-rating agency that collects personal and financial data on 820 million consumers worldwide, struggles to manage the aftermath of a breach that has clouded the company’s future.
Hatch is among the first top Republicans to speak out on the Equifax hack. In response, the company said on Tuesday: “These are very complicated issues, and we expect to be engaging with regulators and legislators in the future. Senators Hatch and Wyden raise many topics in their letter on behalf of the U.S. Senate Finance Committee, and we plan to be responsive in helping them to gather the information the Committee needs about this situation.”
Chief executive Richard F. Smith apologized for the breach in a statement on Thursday but has offered scant information to the public about the incident other than to say that it was being investigated by law enforcement and a private cybersecurity company.
Also Monday, White House spokeswoman Sarah Huckabee Sanders signaled concern within the Trump administration as well. When asked if the Equifax breach suggests the need for new regulation of how companies handle the personal information of consumers, Sanders said, “I think that’s something we have to look into extensively.”
The company revealed the hack Thursday — six weeks after first detecting it — and has not responded to repeated requests from The Washington Post to explain the delay. The stock price of Equifax has fallen by more than 20 percent since it announced the hack.
Democrats, including Wyden, were vocal in the first 24 hours after the hack was revealed, demanding probes and raising the prospect of legislating better protection of personal data and requirements for companies to quickly and clearly report breaches to the public. Companies often wait weeks or months to report incidents to the people affected.
Equifax has said that its “core consumer or commercial credit reporting databases” did not appear to be breached by the hackers. But it said they did gain access to Social Security numbers, home addresses, birth dates, credit cards and driver’s licenses — all ingredients that can help identity thieves impersonate others for the purpose of taking out loans, opening bank accounts, or applying for jobs or government benefits.
Since the announcement of the breach, several committees have now announced plans to investigate the hack and related issues. Consumer groups, meanwhile, have blasted Equifax for taking six weeks to alert the public of the breach and for the company’s fumbling efforts to help consumers through an overloaded helpline and a website that has had security issues of its own.
The letter from Hatch and Wyden asks Equifax to explain the size and reporting structure of its security team, whether it routinely seeks the assistance of outside experts to test vulnerabilities and whether the company has an established system for receiving and evaluating reports about systemic vulnerabilities.
The senators also asked Equifax to explain when it reported the breach to board members and senior executives. That includes three — Chief Financial Officer John W. Gamble Jr.; Joseph M. Loughran III, the president of U.S. information solutions; and Rodolfo O. Ploder, the president of workforce solutions — who sold large amounts of their shares of Equifax stock totaling nearly $1.8 million in the days after the breach was discovered July 29.
An Equifax spokeswoman told The Post last week that the executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
Damian Paletta contributed to this report.
Follow The Post’s tech blog, The Switch, where technology and policy connect.