A new GAO report details how Equifax submitted to audits from agencies with which the company had contracts, but declined an offer of help from the Department of Homeland Security in the wake of the company’s 2017 data breach that exposed sensitive personal information of 143 million Americans.
The report notes that the Internal Revenue Service (IRS), the Social Security Administration (SSA), and the United States Postal Service (USPS) were major customers of Equifax during the breach, prompting each agency to review the impact of the breach on their own services. After those reviews, none of the agencies found any breach of their systems and information. The agencies also conducted reviews of Equifax’s security controls on-site at the company’s data center.
“The officials of all three agencies said that their reviews did not uncover any major new problems, but did identify a number of lower-level technical concerns that they required Equifax to address,” GAO states.
While DHS offered its help to Equifax after the breach, the company turned the agency down, GAO said. “Equifax notified DHS officials that the company had already retained professional services from a private cybersecurity consultant and, thus, declined assistance from DHS,” the report says.
GAO noted that DHS, IRS, SSA, and USPS, “expressed concern about how the breached data could be used to compromise sensitive information or fraudulently procure government services, even from agencies that are not direct customers of Equifax.” However, GAO found that all of these efforts occurred independently of each other “because they said it was unclear whether any single federal agency had responsibility for coordinating government actions in response to a breach of this type in the private sector.”
In the aftermath of the breach, agencies took measures to update their own cybersecurity procedures and processes. The IRS and SSA modified their contracts to require prompt breach notifications, and the IRS also suspended a short-term contract with Equifax. To support citizens, the IRS and SSA obtained the list of affected individuals and monitored for identity fraud and posted blogs to offer advice for consumers looking to protect their data.