Rep. Maloney Requests Information from TransUnion and Experian in Light of Equifax Data Breach

Sep 13, 2017
Press Release

WASHINGTON, DC—Congresswoman Carolyn B. Maloney (NY-12), Ranking Member of the House Financial Services Subcommittee on Capital Markets, Securities, and Investment; today requested information from the CEOs of TransUnion and Experian as to how each company is addressing its information security program in light of the Equifax data breach.

According to numerous reports, the hackers in the Equifax case likely exploited security flaws in open-source software — Apache Struts — that was used by Equifax. This software is widely used by large companies, and TransUnion has publicly acknowledged that it also uses Struts.

The Congresswoman asked the CEOs, James M. Peck and Brian Cassin, of TransUnion and Experian, respectively, to answer the following four questions:

  1. What steps, if any, has your company taken in response to the Equifax data breach? Has your company undertaken a review of your information security program to identify potential weaknesses in light of the Equifax data breach?

 

  1. Does your company use the Apache Struts software for any of its databases? If so, do these databases contain sensitive or personally identifiable information about consumers?

 

  1. Has your company applied all of the necessary security patches that Apache has released for the Struts software?

 

  1. Are you aware of any evidence that hackers have compromised your company’s information security and stolen sensitive or personally identifiable information about consumers?

 

Full text of the letter is below and a PDF can be found here.

Dear Mr. Peck and Mr. Cassin:

I am writing with regard to the recent data breach at Equifax, which is one of the largest, most devastating data breaches in history. The Equifax breach has affected roughly 143 million American consumers, and because of the nature of the information that was stolen — largely Social Security numbers and birth dates, which are both critical and unchangeable for consumers — criminals could be using this information to steal consumers’ identity for years to come.

According to press reports, hackers in the Equifax case exploited a flaw in the open-source server software Struts, created by the Apache Foundation, to gain access to the consumers’ confidential information.[1] The Struts software is widely used by large companies — by one estimate, 65% of Fortune 100 companies use Struts[2] — and TransUnion has publicly acknowledged that it also uses Struts.[3] Despite the fact that Apache released patches for security flaws in the Struts software in March,[4] Equifax reportedly had not applied these patches.[5]

Accordingly, I respectfully request answers from each of you to the following questions:

  1. What steps, if any, has your company taken in response to the Equifax data breach? Has your company undertaken a review of your information security program to identify potential weaknesses in light of the Equifax data breach?

 

  1. Does your company use the Apache Struts software for any of its databases? If so, do these databases contain sensitive or personally identifiable information about consumers?

 

  1. Has your company applied all of the necessary security patches that Apache has released for the Struts software?

 

  1. Are you aware of any evidence that hackers have compromised your company’s information security and stolen sensitive or personally identifiable information about consumers?

 

If you have any questions about this request, please contact my office at (202) 225-7944.

###

 

 

 

 

[1] See, Kevin Dugan, “Equifax Blames Giant Breach on Vendor Software Flaw,” New York Post (September 8, 2017); see also Teri Robinson, “Apache Struts Vulnerability Likely Behind Equifax Breach, Congress Launches Probes,” SC Media (September 12, 2017).

[2] Id.

[3] Laura Alix, “Panic Over Equifax Breach Bleeds to TransUnion,” American Banker (September 12, 2017).

[4] Dan Goodin, “Critical Vulnerability Under ‘Massive’ Attack Imperils High-Impact Sites,” Ars Technica (March 9, 2017).

[5] Dustin Volz and David Shepardson, “Criticism of Equifax Data Breach Response Mounts, Shares Tumble,” Reuters (September 8, 2017).