Equifax breach still poses fraud risk at four government agencies: GAO
WASHINGTON — Recent data breaches like that at Equifax have heightened online fraud risk for four government agencies, according to lawmakers and the Government Accountability Office.
A GAO report faults the Department of Veterans Affairs, Centers for Medicare and Medicaid Services, Social Security Administration, and U.S. Postal Service, for relying on “knowledge-based verification” to grant access to online portals that users use to track benefits or other purposes.
Such identity methods involve using personal data about a user that is typically in a credit file held by a consumer reporting agency. The GAO warned that a hacker could gain access to such data through a cyber intrusion like the 2017 Equifax breach, which compromised the information of millions of individuals.
"It is troubling that almost two years after the massive 2017 Equifax data breach federal government agencies continue to use outdated identity-proofing methods that put citizens at increased risk of identity theft,” said Sen. Elizabeth Warren, D-Mass., Sen. Ron Wyden, D-Ore., and Rep. Elijah Cummings, D-Md., in a letter Thursday to the four agencies. The three lawmakers, who had requested the GAO audit, released the report on Friday.
Until the agencies eliminate knowledge-based verification, the individuals they serve will remain at increased risk for identity fraud, the report said.
"Although commonly used by federal agencies for remote identity proofing, knowledge-based verification techniques pose security risks because an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and successfully impersonate that individual," the report said.
The GAO noted that the Internal Revenue Service and the General Services Administration have improved their practices and no longer use the method.
According to the lawmakers' letter, the VA, USPS and Social Security Administration have said they plan to eliminate knowledge-based verification. The Department of Health and Human Services said it felt there were not suitable existing alternatives for certain populations served by the Centers for Medicare and Medicaid Services.
The lawmakers are asking the agencies what steps they have taken to protect consumer privacy following the Equifax data breach, and what policies are in place to ensure third-party contractors have appropriate data security practices.