ELIZABETH WARREN

UNITED STATES SENATE
WASHINGTON, DC 20510-2105
P: 202- 224-4543

MASSACHUSETTS

COMMITTEES:

BANKING, HOUSING, AND URBAN AFFAIRS
HEALTH, EDUCATION, LABOR, AND PENSIONS

tlnitcd ~rates ~cnatc

ARMED SERVICES

2400 JFK FEDERAL BUILDING
15 NEW SUDBURY STREET
BOSTON, MA 02203
P: 617- 565-3170
1550 MAIN STREET
SUITE 406
SPRINGFIELD, MA 01103
P: 413-788-2690

SPECIAL COMMITTEE ON AGING

February 9, 2018

www.warren.senate.gov

Paulino do Rego Barros, Jr.
Interim Chief Executive Officer
Equifax
1550 Peachtree St. NW
Atlanta, GA 30309
Dear Mr. Barros:
I am writing regarding what appears to be misleading, incomplete, or contradictory information
provided by Equifax to Congress and to the public regarding the extent of the massive 2017 data
breach that compromised personal identifying information (PII) belonging to over 145 million
Americans.
Earlier this week, I released a staff report summarizing my five-month long investigation into the
causes of this breach and Equifax's response to it. This report revealed a series of failures by
Equifax that resulted in the breach, and a botched response by the company in the breach's
aftermath.
My report also contained new information indicating that the breach may have been even more
extensive than disclosed by Equifax. A new report today in the Wall Street Journal confirms that
the extent of the breach is beyond what Equifax disclosed, and raises additional questions about
the breach, about Equifax's response, and about the completeness and veracity of information
provided to Congress and the American public.2
Equifax stated publicly in late 2017 that hackers "accessed primarily .... names, Social Security
numbers, birth dates, and, in some instances, driver's license numbers ... credit card numbers
... and certain dispute documents with personal identifying information."3 But according to the
Wall Street Journal, "hackers in the Equifax, Inc. breach accessed more of the consumers'
personal information than the company disclosed publicly last year." 4
Specifically, according to the Journal, hackers accessed "such data as tax identification numbers,
email addresses, and drivers' license information beyond the license numbers [Equifax]
originally disclosed." 5 In testimony before Congress, and in documents provided to Congress
and released to the public in 2017, Equifax failed to disclose any of this additional information.
Wall Street Journal, Equifax Hack Might be Worse Than You Think (Feb 9. 2018).
Mandiant, Executive Summary (201 7).
4 Wall Street Journal, Equifax Hack Might be Worse Than You Think (Feb 9. 2018).
5 Wall Street Journal, Equifax Hack Might be Worse Than You Think (Feb 9. 2018).
2

3

 The fact that this additional information was potentially hacked was provided to the Senate
Banking Committee in early 2018 - but was not released to the public.
While Equifax confirmed the release of this additional data this morning, the company continues
to dissemble and downplay the significance, refusing to provide any information on the number
of taxpayer identification numbers or email addresses that were hacked, and claiming that email
addresses "aren't considered sensitive personal information."6
Furthermore, the company continues to offer vague and misleading statements regarding whether
passport numbers were compromised in the breach. In questions for the record to Equifax
following the Banking Committee's October 4, 2017 hearing, I asked a simple question: "What
was the precise extent of the breach?"
You responded as follows (emphasis added):
As part of the incident, the attackers were able to access records across
numerous tables with inconsistent schemas. The forensic investigation was able
to standardize columns containing various types of sensitive information (listed
below). These represent the data fields across attacker-accessed tables that
were identified as potentially containing PH. The list of data elements is not
exhaustive of all possible data elements in a given table, but instead represents
the common PH data elements in the attacker queries. 7
Among the types of PII you listed in these "attacker-accessed tables" were Tax ID numbers, email addresses, and passport numbers. You appear to have confirmed to the Wall Street J oumal
that the hackers did access Tax ID numbers, e-mail addresses, and almost every other element
reported to the Senate Banking Committee - except you .are now claiming that passport
numbers were not compromised- despite informing the Committee that they were part of the
"attacker-accessed tables."
As your company continues to issue incomplete, confusing, and contradictory statements and
hide information from Congress and the public, it is clear that five months after the breach was
publicly announced, Equifax has yet to answer this simple question in full: what was the precise
extent of the breach?
Congress and the public deserve answers, and I therefore ask that you provide the following
information, in writing to me and the Senate Banking Committee, no later than one week from
today.

6

Wall Street Journal, Equifax Hack Might be Worse Than You Think (Feb 9. 2018).

 1) A full and complete list of all data elements that Equifax has confirmed were accessed by
hackers in the breach, and the number of individuals affected by the breach of these
individual data elements. Please include information on when Equifax confirmed that
taxpayer identification numbers, email addresses, and driver's license issue dates and
states were accessed by the hackers.
2) A full and complete list of all data elements that Equifax has reason to believe may have
been accessed by the hackers, the potential number of individuals potentially affected,
and the status of Equifax efforts to confirm if they were or were not accessed.
3) A timeline of all Equifax efforts to determine the full extent of the breach, and summaries
of any internal reports or information, or reports or information provided to Equifax by
Mandiant or any outside entities describing the extent of the breach.
4) The process used by Equifax to inform members of the public that taxpayer identification
numbers, email addresses, and drivers' license information has been breached.
Thank you for your attention to this matter.
Sincerely,

Unite States Senator

Cc:

Sen. Mike Crapo, Chair, Senate Banking Committee
Sen. Shenod Brown, Ranking Member, Senate Banking Committee