GREG WALDEN OREGON FRANK FALLONE JR NEW JERSEY CHAIRMAN RANKING MEMBER ONE HUNDRED FIFTEENTH CONGRESS of the amen tatrs 19131151 at COMMIITEE ON ENERGY AND COMMERCE 2125 Ravsoaw House OFFICE BUILDING WASHINGTON DC 20515 6115 Majority 2023 225 2927 Minority 2 21225 3641 November 17 2017 Mr Paulino do Rego Barros Jr Interim Chief Executive Of cer Equifax Inc 1550 Peachtree Street NW Atlanta GA 30309 Mr Mark L Feidler JD Non Executive Chairman Equifax Inc 1550 Peachtree Street NW Atlanta GA 30309 Dear Messrs Barros and Feidler We are continuing to investigate the Equifax data breach that resulted in the theft of personal information for nearly 145 5 million American consumers We have additional questions for Equifax as follow-up to the testimony provided by former CEO Richard Smith when he testi ed before the Subcommittee on Digital Commerce and Consumer Protection on October 3 2017 Because Mr Smith can no longer speak for Equifax s plans going forward and due to subsequent revelations that have come to our attention we have additional questions about the data breach the post-breach response and consumer protection remediation offered by Equifas We have questions about Equifax s October 2 2017 disclosure that approximately 2 5 million additional U S consumers were potentially impacted for a total of 145 5 million On October 13 2017 over a month after the company s initial disclosure security researchers reported a security vulnerability caused visitors to Equifax Inc s website to encounter malicious software due to the website s use of a discontinued web analytic plug in called The continued issues consumers face when engaging with Equifax raise more questions 3 to-1 8 19474245 Letter to Mr Barres Letter to Mr Feidler Page 2 Our intention is to continue to get answers for the 145 5 million Americans who have had their personal information compromised Accordingly we request written responses and where appropriate responsive documents to the following no later than December 4 2017 1 All correspondence including emails notes ietters telephonic messages text messages andfor any other written documentation between Susan Mauldin and Richard Smith from March 1 201 to September 15 201 referring or relating to the software vulnerability identi ed as CVE-2017-5638 All correspondence including emails notes letters telephonic messages text messages andfor any other written documentation between David Webb and Richard Smith from March 1 2017 to September 15 2017 referring or relating to the software vulnerability identi ed as IVE-20176638 All correspondence including emails notes letters telephonic messages text messages and or any other mitten documentation between David Webb and Susan Mauldin from March 1 2017 to September 15 2017 referring or relating to the software vulnerability identi ed as All correspondence including emails notes letters telephonic messages text messages andlor any other written documentation between Susan Mauldin and John J Kelley from March 1 2017 to September 15 2017 referring or relating to the software vulnerability identi ed as CVE-2017-5638 All correspondence including emails notes letters telephonic messages text messages andfor any other written documentation to or from John J Kelley from March 1 2017 to September 15 2017 referring or relating to the software vulnerability identified as CVE- 2017-5638 All documentation prepared by Mandiant relating to the March 2017 breach and post breach investigation presented to Equifax Unauthorized Access to Personal Information Why was individual s information including driver s license credit card and Credit dispute information accessible via a consumer facing dispute portal web page on Equifaxeom Please describe in detail how data and information of consumers that had never submitted a dispute was accessed via the dispute portal web page on Equifax com What speci c databases and data tables were accessed in the breach that was publicly announced on September 7 2017 Letter to Mr Barres Letter to Mr Feidler Page 3 9 ll 11 12 13 Please list all other kinds of personal information that can be accessed via the dispute portal web page on Equifaxcom or other consumer-facing applicationsfwebsites Were any PINS assigned to consumers necessary to lift a credit freeze compromised in the breach When Equifax announced on October 2 2017 an additional 2 5 million US consumers had partial personal information breached the company indicated the additional population was con rmed during Mandiant s completion of the investigation process Does Equifax anticipate any new or additional evidence of U S consumers affected going forward In Equifas s October 2 announcement the company indicated minimize confusion Equifax will mail written notices to all of the additional potentially impacted U S consumers identi ed since the Sept 7 announcement a Please explain the change in company protocol regarding mail noti cation given the initial 143 million consumers did not receive mailed notices b Will Equifax new mail written notices to all U S consumers potentially affected by the breach 1n Equifax s October 2 announcement the company also indicated t he feature on the website that U S consumers may use to determine whether they may have been impacted will be updated to re ect the additional potentially impacted US consumers discussed in this release by no later than October On what date was the EqnifaxSecurity2017 com website updated to re ect the additional population of consumers impacted Post Breach Reaponse 14 15 16 What steps has Equifax taken since July 29 2017' to expedite its discovery of unauthorized access or acquisition or leaks of consumer or commercial data What speci c changes were made to the company s protocols on data security What steps has Equifax taken to notify consumers that their personal information was stolen in the breach announced on September 7 201 What speci c changes were made to the company s protocols on data breach noti cation after September 7 2017 Is Equifax directly contacting through mail email or other means any consumers whose personal information was compromised in that breach in his testimony Mr Richard Smith stated at my direction a well known independent expert consulting firm in addition to and different from Mandiant has been retained to perform a top to bottom assessment of the company s information security systems Letter to Mr Barros Letter to Mr Feidler Page 4 Please identify the name of the rm and provide a current point of contact with contact information for the firm According to a September 29 2017 Bloomherg Businessweek investigation reportedly Mandiant warned Equifax that its unpatched systems and miscon gured security I policies could indicate major problems a person familiar with the perspectives of both sides said a rst warnings did Mandiant convey to E quifax management at any point in 201 and did company of cials agree or disagree with the Mandiant assessment b If Equifax disagreed with Mandiant on the security assessment did that disagreement affect the amount of time it took to address the breach and to initiate the breach noti cation and offer of the TrustedID Premier services to consumers Please explain c What impact did the disagreement have on engaging the well-known independent expert consalting rm noted in Mr Richard Smith s written testimony 18 Did Equifax or any third-party hired by Equifax after two earlier data breaches in 2016 and 2017 conduct a root cause analysis and develop or obtain a set of recommendations to prevent future breaches a If so please provide the results of any such analyses including all issues identi ed and recommendations made and identify who conducted them Did Equifax address all of the issues identified by those analyses and implement all of the recommendations c What speci c steps did Equifax take after these previous data breach incidents to improve data security 19 According to a report on Motherboardcom on October 26 2017 Equifax was warned by a security researcher in December 2016 that Equifax was vulnerable to attack a Did any issues or conditions identi ed by the third-party security researcher contribute to the breach of Equifax s Dispute Fortal website b Did Equifax make any changes to the security of its servers and websites from December 1 2016 to May 31 201 in response to the security warning If so please describe the changes made Letter to Mr Barres Letter to Mr Feidler Page 5 20 21 22 24 25 '26 Please provide two organizational charts one for the time period prior to the breach one current detailing the organizational structure of the technology organization from application owner to the Chief Executive Of cer Please provide two organizational charts one for the time period prior to the breach one current detailing the organizational structure of the security and compliance functions including the Chief Information Security Of cer Chief Legal Officer and the Chief Executive Of cer Since the breach disclosure on September 7 2017 and the personnel changes announced on September 15 201 a Is the Information Team applications owners still responsible for patching any vulnerability and in sole possession of the asset inventory b Does the Security Team now have access to the asset inventory If so please describe the conditions for their access Were any of the data elements including name social security number address date of birth driver s license credit card or dispute information at the time of the breach announced on September 7 201 21 Did Equifax such data when transmitted If so how if not why not b Did Equifax such data when processed If so how If not why not Since the breach disclosure on September 7 2017 under what _circumstances is personal information 1n Equifax system Were any changes made to the company protocols on for consumer and commercial data after the breach if so please explain these changes How many individuals have signed up for the TrustedlD Premier product offered by Equifax alter the breach as of the date of your response to this letter Is there a back log of individuals who have indicated they would like to enroll in the product but have not yet completed the enrollment process a If there is a back log please explain how Equifax is addressing the backlog and how long it will be before all interested individuals are enrolled in the product b If there is no back log when where the reported issues with both the website and call centers resolved Federal Contracts Letter to Mr Barros Letter to Mr Feidler Page 6 Equifax holds several federal contracts for data services at several key federal agencies- a Was any data related to or maintained under these contracts compromised If so please specify which contracts were affected and which data was compromised b Did compromised data include records relating to IRS CMS or the Social Security Administration If so will federal agency consumers be noti ed How will they be noti ed 23 Please provide the Committee with any relevant information regarding Equifair s contract 'to provide consumer credit veri cation services to the IRS including copies of all previous contracts all current contracts and all protests of an award of contracts to other companies submitted by Equifax 29 Provide a description of all contracts awarded to Eq-uifax by the Federal Government in effect today Retirement Announcements 30 Please describe Richard Smith s relationship with Equifax today 31 In a September 15th press release Equifax indicated that the company s Chief Information Of cer David Webb and Chief Security Of cer Susan Mauldin were retiring with immediate effect Were these company executives in fact terminated as a result of the breach a If they were not terminated please detail their current relationship with Equifax and provide their contact information b Will the company re-evaluate and consider a ciawback of all cash and non-cash compensation for all employees for which retirement announcements were made post breach '32 Despite the press release that personnel changes involving Mr Webb and Ms Mauldin were with immediate effect there were con icting reports of their employment relationship with Equifax a Is Ms Mauldin still employed by the company Is she a consultant of the company 13 Is Ms Mauldin collecting any payroll or any cash or non-cash compensation c is Mr Webb still employed by the company Is he a consultant of the company Letter to Mr Barres Letter to Mr Feidler Page 7 d Is Mr Webb collecting any payroll or any cash or non-cash compensation Eonifax Stock Trades 33 Equifax s' Chief Legal Of cer John Kelley who is in the breach alert chain of command from the Chief Security Officer was responsible for the approval of stock sale requests a Is this still the case b Does Equifax believe this protocol for the sale of company stock by senior executives during a data breach is appropriate c At any time since July 29 201 were any changes made to the company s protocols for the sale of company stock that is sold after the discovery of a security breach If so please detail these changes Credit Lock App 34 Considering the size of the breach and the potential identity theft and fraud consumers affected face what is the status of the new Equifax credit lock product announced on October 3 2017 a is the rollout of the new credit loclt app still on track for the end of January 2018 13 Are there any factors that may delay the rollout of the app If so please detail those factors c Will you commit to inform the Subcommittee if there are any changes in the rollout date 35 Please describe the service that will be offered by the credit lock application and detail the steps consumers will have to take to utilize such a service a Will use of the service require consumers to consent to Equifax sharing- or selling the information it collects from the service to third parties b What third parties will Equifax share or sell information collected about consumers from their use of this new credit lock tool 36 When a credit lock is activated what users or companies including Equifax or its subsidiaries can access a consumer s Equifax credit file Does freezing or looking a credit file hurt a consumer s credit score October 13th Incident Letter to Mr Barres Letter to Mr Feidler Page 8 38 When did Equifax become aware that hackers had exploited a third-party vendor s code running on the Equifax website and was serving malicious content to visitors How long was Equifax s website vulnerable and l or exploited a What specific website services or code did the third-party vendor provide in support of the Equifax s website Please identify the name of the third-party vendor and provide a current point of contact for the rm including that person s contact information 39 The Equifax website s use of a discontinued web analytic plug-in called Fireclick caused consumers to encounter the malicious software Did the company s protocols on data security and breach reSponse help identify the unauthorized intrusion Please explain 40 Is there any evidence of that Equifax s computer systems were accessed or any additional information about individuals compromised Was the consumer online dispute portal accessed or compromised If you have questions please contact Melissa Froelich or Paul Jackson of the Majority staff at 202 225-292 and Michelle Ash or Lisa Goldman of the Minority staff at 202 225- 3641 Sincerely Greg 11 Frank Pallone Jr Chairman Ranking Member Robert E Latta Jani D Schakowsky Chairman Ra ing Member Subcommittee on Digital Commerce committee on Digital Commerce and Consumer Protection and Consumer Protection                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu