Federal agencies reacted unevenly to Equifax breach
The federal government's central cyber incident response agency played a minor role in the wake of the Equifax breach, while agencies wondered who was in charge.
The Department of Homeland Security was largely sidelined as credit reporting agency Equifax suffered through one of the worst data breaches in American history. Meanwhile, federal agencies that rely on some of the same personal information expressed confusion about who was coordinating the government's response, according to a Government Accountability Office report made public Sept. 7.
Much of the response took place in oversight hearings, taking aim at company officials while exploring the possibility of a national breach notification law. Congress also tasked GAO with examining how certain federal agencies, like the IRS, the Social Security Administration and the U.S. Postal Office, were responding to the exposure.
GAO found that even as Equifax suffered a breach that exposed the personal data of nearly 150 million Americans, the company never contacted DHS -- the federal government's central agency for responding to cyber incidents -- for assistance.
The department did reach out to offer help, but Equifax rebuffed agency officials, telling them the company would instead use a third-party private sector consultant. DHS officials instead spent their time pressing federal agencies to be aware of similar software and website security vulnerabilities in their systems.
Meanwhile, IRS, SSA and USPS canvassed their own operations. The agencies told auditors they decided to take independent action because it was "unclear whether any single federal agency had responsibility for coordinating government actions" in response. Those efforts included cross-referencing their data with Equifax's to identify affected individuals, conducting site visits to examine the credit reporting agency's security controls, changing internal identity proofing procedures and taking steps to communicate with the public.
Those agencies also took steps to modify current and future contracts with Equifax to require more prompt breach notification guidelines. The IRS made headlines when it awarded a $7 million bridge contract for identity protection services to the company a month after it announced the exposure. IRS executives later suspended and terminated the contract under public pressure.
Equifax was on the receiving end of outrage from Congress and consumer advocacy groups because of the months-long lag between discovering the breach and notifying the public, during which time multiple executives sold off millions of dollars in stock. The company's actions have since spurred investigations by the Federal Trade Commission and the Bureau of Consumer Financial Protection.
While data privacy advocates and members of Congress have used the incident as a rallying cry to pass national breach notification laws, legislative proposals introduced in the aftermath have languished in committee as the EU and other countries have passed and implemented strict mandates on how and when companies report data breaches to the public.
Marking the one-year anniversary of the Equifax breach on LinkedIn, Sen. Mark Warner (D-Va.) -- who has proposed his own breach notification legislation -- called the U.S. response over the past year "unacceptable."
"The lack of action by the Administration and Congressional leadership to hold Equifax accountable and prevent future breaches is a pretty glaring failure," said Warner. "Consumers deserve better."