GREG WALDEN, OREGON FRANK PALLONE, JR., NEW JERSEY
CHAIRMAN RANKING MEMBER

ONE HUNDRED FIFTEENTH CONGRESS

(?lungress at the ?ttm?teh ?tates

319mm nt ?epreaentatthes

COMMITTEE ON ENERGY AND COMMERCE

2125 RAYBURN HOUSE OFFICE BUILDING
WASHINGTON, DC 20515?6115

Majority (202} 225?2927
Minority (202} 225?3641

September 12, 2017

Richard F. Smith

Chairman and CEO, Equifax Inc.
1550 Peachtree Street NE
Atlanta, GA 30309

Dear Mr. Smith:

Equifax announced on Thursday, September 7, 2017, that hackers had compromised the
sensitive personal data including Social Security Numbers, birth dates, names, addresses and
other information?of ?approximately 143 million US consumers?? This announcement came
more than a month after the company discovered the data breach on July 29, 2017, and nearly
four months after the unauthorized access first occurred.2

 

Equifax?s public announcement of the breach directed consumers to the website
equifaxsecurity2017.com. Almost immediately, reports surfaced of a number of problems with
the website.3 Some browsers were flagging the website as a phishing scam.4 Consumers
reported that to find out if their information was compromised, the website requested two?thirds
of peOple?s Social Security numbers in combination with their last names.5 And even after
providing that information, the status of their personal information is unclear or misleading.6
People who checked the website on both their mobile device and a computer received different

 

1 Equifax, Equzfax Announces Cybersecnriz?y Incident Involving Consumer Information
(Sept. 7, 2017) (press release).

2 Id.

3 Equifax Breach Response Turns Dumpster ire, Krebs on Security (Sept. 8, 2017)
(krebsonsecurity.com/201 7/ 

4 Id.
5 1d.
6 Id.

Mr. Richard F. Smith
September 12, 2017
Page 2

results.7 And false information entered into the ?elds provides the same result as real
information.8

We are writing with serious concerns about the immense scale of this data breach, and we
have a number of questions about whether Equifax took appropriate steps to safeguard the
personal information of consumers. We also have concerns about the amount of time it took for
Equifax to notify the public of the breach and about the way Equifax is providing information to
consumers.

In order to access credit, and to participate in the modern economy, American consumers
have virtually no choice but to entrust their sensitive personal information to the three main
credit bureaus, including your company. Consumers cannot avoid sharing their personal
information with your company by simply choosing to transact business elsewhere, and many
consumers may be unaware that your company actually has their personal information. It is
critical for companies like yours to protect consumer data, and to inform consumers when those
protections fail.

We seek answers to the following questions about what actions the company is taking to
make consumers whole, how the breach occurred, and what the company is doing to safeguard
against security breaches in the future:

1. Equifax?s press release stated that criminals exploited a ?website application
vulnerability to gain access to certain files.?9 What was the specific vulnerability that
was exploited? What is Equifax doing to identify other weaknesses in its data
security program? Does the company conduct regular security audits? If so, how
often? Please explain in detail the process for any such security audits.

2. What security controls were in place that failed to protect sensitive consumer
information? How recently were these security controls audited? How were the
criminals able to conduct the exfiltration of consumer data by exploiting the website
vulnerability?

3. Why were the Equifax network operations and security staff unaware that volumes of
data involving 143 million US. consumers had been exfiltrated from the Equifax
network for so long? Does Equifax regularly monitor for intrusions into its network?
Was it conducting regular monitoring during the time of the breach?

 

7 1d.
8 Id.
9 Id.

Mr. Richard F. Smith
September 12, 2017

Page 3

10.

This breach is the third that Equifax has experienced in two years. 10 What changes to
its data security plans and procedures did Equifax make following each of the two
previous data breaches?

What operational and technical measures is Equifax implementing after the event to
improve the protection of consumer information residing on its network?

Equifax?s press release notes that the ?information accessed primarily includes
names, Social Security numbers, birth dates, addresses and, in some instances,
driver?s license numbers,? but that for some consumers, credit card numbers and
?certain dispute documents with personal identifying information were
accessed?? What specific dispute documents were accessed in this breach? What
other personal identifying information was compromised?

Why did it take Equifax more than a month to announce this massive data breach?
What Specific actions did Equifax take in this time to protect consumer information
and mitigate potential harms to consumers resulting from the breach?

What is Equifax doing to notify individual consumers whose information was
compromised in the data breach? According to Equifax?s press release, the company
will directly notify consumers ?whose credit card numbers or dispute documents with
personal identifying information were impacted.?l2 Does this mean that Equifax will
directly notify only a portion of the 143 million consumers whose personal
information was compromised?

What federal and state officials has Equifax notified of the data breach? When did

Equifax notify these officials? It is our understanding that consumers in the United
Kingdom and Canada were also affected by this breach. When and how were those
consumers and government of?cials notified?

Bloomberg has reported that three senior executives of Equifax ?sold shares worth
almost $1.8 million? on August 1, 2017?just days after the company discovered the
breach on July 29, 2017. 13 What measures is the company taking to investigate the
sale of stock in the aftermath of the company?s discovery of the data breach,

 

10 How to Find Out If You ?re A?ecred by the Massive Equifax yberatrack, BGR (Sept. 8,
2017) (b gr.comSee note 1.
12 Id.

13 Three Equi?tix Managers Sold Stock Before Cyber Hack Revealed, Bloomberg (Sept. 7,
2017) 


Mr. Richard F. Smith
September 12, 2017

Page 4

ll.

12.

13.

including whether these or other executives sought to delay the announcement of the
data breach? What date did these of?cials find out that there was a breach?

What procedures does Equifax have in place for notifying senior officers within the
company in the event of a data breach? Did Equifax comply with those procedures in
this case? Are senior officials notified of every unauthorized access or unauthorized
acquisition of company or consumer information? At what point are they notified?

Equifax provides credit monitoring services to companies whose customers have been
affected by data breaches. In this case, the very company whose data was breached is
itself providing its own customers with credit monitoring services. Equifax?s press
release states that the company will provide affected consumers with credit
monitoring services and identity theft protection ?complimentary to US. consumers
for one 

a. What analysis did the company do to determine that one year of
complimentary credit monitoring services and identity theft protection?
provided by Equifax itself?would be adequate to make consumers whole?
How does this service differ from the Equifax product known as Equifax ID
Patrol and other services sold as part of Equifax?s regular business?

b. How much money per year would an affected consumer who received this
free service pay Equifax to extend the ?complimentary? services beyond one
year?

c. Has Equifax estimated how much money it would make per year if every one
of the 143 million consumers affected by Equifax?s data breach signed up for
Equifax?s credit monitoring service and identity theft protection? In short,
how much money would Equifax make after one year on credit monitoring
services that would be unnecessary but for Equifax?s failure to safeguard
consumer data?

To sign up for rustedlD Premier, Equifax?s credit monitoring service and identify
theft protection offered to consumers in connection with this breach, a consumer must
agree to the TrustedlD Premier terms of use, which initially included an arbitration
clause?language that New York Attorney General Eric Schneiderman called
?unacceptable and unenforceable.?15 How did Equifax arrive at the decision to
include an arbitration clause in its product?s terms of use? After first attempting to

 

?4 See note 1.

15 Equifax, TrustedID Premier Terms of Use (Sept. 6, 2017)
By Signing Up On Equifax ?s Help Site, You. Risk Giving Up
Your Legal Rights, Washington Post (Sept. 8, 2017) 
switch/wp/ 20 1 7/ 09/ 0 
84983 8f08a2).

Mr. Richard F. Smith
September 12, 2017
Page 5

clarify that ?the arbitration clause and class action waiver included in the Equifax and
TrustedID Premier terms of use does not apply to this cybersecurity incident,?
Equifax ultimately removed the arbitration language from its rustedID Premier
terms of use.16 However, the arbitration clause in Equifax?s general terms of use on
its website remains. 17' Will Equifax attempt to enforce this or any other arbitration
clause against consumers who choose to use the Premier service or
consumers affected by the data breach, including those affected consumers who had
previously purchased 01' subscribed to an Equifax product?

14. What measures, other than offering credit monitoring services and identity theft
protection, is Equifax taking to mitigate harm to consumers?

15. Will Equifax waive fees associated with consumers? freezing their credit with
Equifax? Will Equifax pay for consumers affected by the breach to freeze their credit
with the other credit bureaus?

16. Finally, at the request of members of the Energy and Commerce Committee, the
Government Accountability Office is evaluating the effectiveness of credit
monitoring and other services in protecting consumers after a data breach.lg What
analysis has Equifax done to determine whether its monitoring services and identity
theft protection, both offered for free in the wake of this breach or sold as a regular
product, are effective in preventing identity theft or otherwise protecting consumers
after a data breach?

Your company profits from collecting highly sensitive personal information from
American consumers?it should take seriously its responsibility to keep data safe and to inform
consumers when its protections fail. Your assistance in this matter is greatly appreciated, and we
look forward to receiving a response by September 22, 2017. Answers to these questions will
also help us prepare for a Committee hearing on this issue that is planned for either later this
month or in October.

 

'6 Consumer Backlash Spurs Equifax to Drop ?Rrpo?Clause?In Offer to Security Hack
Victims, Forbes (Sept. 9, 2017) 



1? Equifax, Equifax Terms of Use (May 2, 2015) 

'8 House Committee on Energy and Commerce, Dem Leaders Ask GAO to Evaluate
E?ecriveness ofPost?Breacl?z Services in Protecting Consumer Dara (Aug. 30, 2017) (press
release).

Mr. Richard F. Smith
September 12, 2017
Page 6

If you have any questions, please contact the Democratic Committee staff of the House

Energy and Commerce Committee at (202) 225-3641.

 

Frank Pallone, Jr.
Ranking Member

6

na G. Eshoo
Member of Congress

we

Gene Green
Ranking Member
Subcommittee on Health

Mike Doyle

Ranking Member

Subcommittee on Communications
and Technology

My vyk/

   

      

. elc
mber of Congress

Beg/72%.

Bobby . ush
Ranking Member
Subcommittee on Energy



Eliot L. Engel
Member of Congress



Diana DeGette

Ranking Member
Subcommittee on Oversight
and Investigations

 

ubcommittee on Digital Commerce
and Consumer Protection

Earls makg?wg)

Doris O. Matsui
Member of Congress

Mr. Richard F. Smith
September 12, 2017

,m76rb 

Kathy Cas br John Sarbanes
Vice Ranking Member Member of Congress
Committee on Energy and Commerce



Je cNerney eter Welch

mber of Congress Member of Congress
Ben Ray Paul D. Tonko
Member of Congress Ranking Member

Subcommittee on Environment

?ammo. Glob. 

(qr/W

Yv tte D. Clarke Dave oebsack
Member of Congress Member of Congress
Kurt Schrader P. Kennedygg

Member of Congress Member of Congress

Mr. Richard F. Smith
September 12, 2017
Page 8


/Ton Cardenas 4

Me ber of Congress

  

Sco H. Peters
Member of Congress

uiz, .
Member of Congress

Debbie Dingell
Member of Congress