GAO releases report on 2017 breach, agency response
- By FederalSoup Staff
- Sep 11, 2018
The Government Accountability Office has released a new report on the massive 2017 data breach at the credit agency Equifax, along with an overview of federal agency responses to the event.
The 40-page report, publically released on Saturday, Sept. 7, covers a breadth of assessments and contract adjustments made by three major agencies affected by the breach—the Social Security Administration, the Postal Service, and the Internal Revenue Service. For example, in the case of the IRS, at least one government contract with the credit giant was cancelled.
The report summarized how hackers were able to find security weaknesses in Equifax’s dispute resolution system, and exploited those weaknesses to gain access to personally identifiable information. Upon discovery of the breach, SSA, USPS and IRS—“large agencies that were major customers of Equifax at the time of the breach,” according to the report—took multiple, independent actions to investigate and mitigate the effects of the breach. These actions included identifying “affected individuals,” performing independent assessments of Equifax’s vulnerabilities and security controls, altering identify-proofing procedures, and communicating with the public other affected parties.
The report notes that, to date, GAO makes no recommendations for action regarding the breach, and that key investigations by the Bureau of Consumer Financial Protection and the Federal Trade Commission remain ongoing. The GAO’s goal in the present report was to summarize the event and describe some early federal responses to it.