Consumer credit reporting agency Equifax stunned the world late last year, admitting to major hacks in the spring and summer of 2017, exposing credit data on millions of consumers across multiple countries including the U.S., U.K., and Canada. Now, Reuters alleges that one major investigation into the hack is spinning its wheels.
Sources say the Consumer Financial Protection Bureau (CFPB), a federal agency that oversees consumer protection in the financial arena, has allowed its investigation to wither. The CFPB, then led by Richard Cordray, began its investigation in September 2017. Cordray resigned in November, however. Mick Mulvaney, appointed as Cordray’s replacement by President Donald Trump, may not be pursuing the investigation with vigor.
Specifically, Mulvaney hasn’t ordered subpoenas or sought testimony from company executives. Sources also claim the CFPB decided not to pursue a plan to test Equifax’s data protection. Finally, the agency is said to be uncooperative with regulators from the Federal Reserve, among others.
This is particularly concerning, given a new report from CNN Money that suggests that the severity of the breach — in terms of data compromised — may be even worse than initially believed. Customer information like tax IDs and driver’s license details may have also been accessed in the hack, as per documents Equifax handed over to the Senate banking Committee. Initially, Equifax noted that some driver’s license numbers were exposed, but new evidence suggests that both license state and issue date may also be at risk.
On Friday, Senator Elizabeth Warren penned a letter to CEO Paulino do Rego Barros Jr. regarding the spotty information Equifax has provided to Congress thus far. “As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?” Warren wrote.
Equifax has responded that the information is not be considered “exhaustive,” but is simply a list of “common personal information” often desired by hackers.
As it stands, The CFPB isn’t the only organization investigating the Equifax hack. The Federal Trade Commission has its own investigation and has issued subpoenas. Every state attorney has its own open investigation, and hundreds of class-action lawsuits have been filed.
Even so, a pullback in the CFPB investigation would be significant. Its stated purpose most directly intersects with Equifax’s services, and the agency is known to slap credit agencies with significant fines. It levied $17.6 million in fines against TransUnion and Equifax in January 2017 over deceptive pricing of credit reports. While the FTC has also hit companies with major fines, it doesn’t have an extensive history of pursuing credit agencies for fines of that magnitude.
That could change. A bill called the Data Breach Prevention and Compensation Act was introduced in January, and part of it would grant the FTC more oversight over credit agencies. It’s estimated that the bill, if made law, would let the FTC hit Equifax with a $1.5 billion fine. Congress has yet to vote on the bill.
The CFPB hasn’t commented on the story by Reuters. Transunion, however, told Reuters in a statement that, “We believe that it is clear that the CFPB was not given legal authority to supervise any financial institutions with respect to cybersecurity.” Equifax also has not provided a statement on the matter.
This development is just the latest twist in the saga of the Equifax and, if correct, suggests the federal government’s response will be meager, even with the additional evidence of compromised data. Still, as noted, there are hundreds of lawsuits pending, from states and class-action suits. It will no doubt be years before the legal fallout settles.
Update: The Equifax breach may have exposed even more information than initially believed.