Equifax's cybersecurity regime was grossly inadequate and the company misled the public about the removal of data from its systems during a hack last summer, according to a report by Sen. Elizabeth Warren.
The Massachusetts Democrat released the 15-page report on Wednesday as part of an effort to gain backing for legislation to rein in the credit bureaus. The report claims that hackers removed, rather than simply accessing, the Social Security numbers, addresses and birth dates of 145 million consumers.
"After months of investigation, our office finally learned that hackers exfiltrated — not just accessed — the data of millions of Americans," the report stated. "Rather than just having access to the data, this means the hackers removed the data from the Equifax system and potentially has access to it forever. Equifax failed to make this distinction in any of its public statements, effectively misleading the American people."
The report also alleges that passport numbers were taken in the data breach, though an Equifax spokeswoman, Meredith Griffanti, denied that had occurred. Equifax otherwise declined to comment on the report.
Equifax has been harshly criticized for waiting 40 days before notifying consumers and regulators about the data breach, which occurred last year on May 13, but was not reported until Sept. 7.
The Warren report also describes the hardball tactics that Equifax used in protesting an IRS contract to a rival credit bureau, Experian, even after the data breach was disclosed. By filing a protest, Equifax set in motion a 100-day delay that forced the IRS, in the interim, to agree to a $7.2 million "bridge" contract with Equifax.
"Equifax used contracting loopholes to force the IRS into signing this 'bridge' contract, and the contract was finally canceled weeks later by the IRS after the agency learned of additional weaknesses in Equifax security that potentially endangered taxpayer data," the report found.
The report found that no personal identifiable information was taken from the IRS.
Warren also used the report to take a swipe at Mick Mulvaney, acting director of the Consumer Financial Protection Bureau, after Reuters reported Monday that the CFPB was backing off its investigation of Equifax. (The Federal Trade Commission is the lead investigator on the Equifax matter and the two regulators have a memorandum of understanding to work together, so it remains unclear how much CFPB was involved in the Equifax matter.)
“The American public deserves answers — and Mick Mulvaney needs to let the CFPB do its job and investigate Equifax’s massive data breach, not shut it down,” Warren said in a press release.
Warren has unveiled legislation with Sen. Mark Warner, D-Va., that would create mandatory penalties of $100 for each consumer whose personal information was compromised. The bill would affect future data breaches and would cap penalties at 50% of a company's gross revenue.
While the bill could garner bipartisan support, it doesn't appear to be on track to be coupled with a Senate regulatory relief package that Republicans and moderate Democrats hope to pass in the first half of the year. A separate bill introduced by Warren with Sen. Brian Schatz, D-Hawaii, would give control of credit information back to consumers.
Warren had previously raised concerns, along with Sen. Ben Sasse, R-Neb., about a $7.2 million IRS contract awarded to Equifax to verify taxpayers' identifies. The IRS suspended the contract in October after criticisms of the data breach.