Lawmakers in the U.S. Senate and House of Representatives blasted credit reporting firms in the wake of the Equifax hack revealed last week, scheduling hearings and calling for an overhaul of the sector and its cybersecurity requirements.
Credit reporting agency Equifax suffered a cybersecurity breach in May that persisted until its discovery in July. By then, hackers stole Social Security numbers, birth dates, and home addresses for 143 million Americans — almost half the U.S. population — and other sensitive data belonging to British and Canadian nationals.
An unknown number of driver’s license numbers, 209,000 credit card numbers, and 182,000 credit dispute documents were also taken, and a group claiming to be the hackers threaten to release the stolen data online unless they receive $2.6 million in ransom this week. Equifax neglected to alert the public to the hack until Thursday.
Virginia Democratic Sen. Mark Warner, co-founder of the Senate Cybersecurity Caucus, said Equifax’s response was slow and criticized the company for being “very, very sloppy” and “not on guard” with regard to cybersecurity.
“This Equifax breach/hack is at least a category four, if not category five, cyber hack,” Warner told CNBC Friday.
Warner, also a member of the Senate Intelligence Committee, said Equifax’s security was on the “low end” and that even a recovery website Equifax set up to interface with victims has known security vulnerabilities. According to the senator, the breach highlights the need for legislation codifying national standards for cybersecurity of sensitive consumer information and incident reporting.
The Virginia Democrat has been trying to get a national data breach standard in place for the last three years. His ideal bill would elevate minimum standards for security protocols and treatment of sensitive consumer data, transparency, and breach notification.
“Often times you might have an entity, versus the telcos, versus the financial institutions, all, in effect, pointing at each other about who’s responsible for reporting, who’s responsible for notifying consumers,” Warner said. “And you’ve got really a total quilt work, with 49 different state laws all conflicting with each other. A national standard would bring about at least some better transparency.”
Equifax is offering victims one year of free credit monitoring, but Democratic Sen. Elizabeth Warren of Massachusetts noted a clause buried within the terms of service forcing those who accept the service to forfeit any ability to sue the company for the breach.
“That’s right: Equifax fails to protect your data and then they demand you give up legal rights if you want to limit the damage they caused,” Warren tweeted. The company has since rescinded the requirement.
Commonly known as forced arbitration clauses, Warren is using the Equifax case to defend a Consumer Financial Protection Bureau rule barring such clauses Republicans are working to repeal.
“Equifax proves why we must protect your right to join class actions,” Warren tweeted.
Those efforts are tame compared to California Democratic Rep. Maxine Waters’ call to overhaul the U.S.’s entire credit reporting system.
“Given the important role credit scores play in the lives and financial futures of hardworking Americans, Congress must diligently examine the way our credit reporting agencies are operating and impose additional statutory and regulatory reforms to protect the integrity of the country’s credit reporting system,” Waters said in a statement Friday.
Waters is the ranking member on the House Financial Services Committee, which has signaled it will hold a hearing on the breach sometime this fall. The House Energy and Commerce and Judiciary Committees are planning hearings of their own to examine the technology and legal implications of the hack.
“This hack into sensitive information compiled and maintained by Equifax is one of the largest data breaches in our nation’s history and someone has to be held accountable,” Waters said.
The congresswoman plans to “reintroduce legislation that will enhance consumer protection tools available to minimize harm caused by identity theft,” and called on Equifax to “at the very least offer free credit freezes to all of those affected by this deeply troubling incident.”
Democrats aren’t the only ones expressing concern. Texas Republican Mike McCaul, chairman of the House Homeland Security Committee, said such hacks are only growing in scale and frequency.
“This latest breach, this hack, is very alarming to me,” McCaul, who frequently works with Warner on cyber issues, told Bloomberg. “We’re in the investigation phase right now, but we’re taking it very seriously.