Former Equifax CEO Richard Smith testifying in October.
Former Equifax CEO Richard Smith testifying in October.

Two U.S. House committees appear to be diving deeper into their investigation of the Equifax breach that exposed the personal information of 145.5 million people earlier this year with a letter to the company requesting detailed information regarding the its cybersecurity personnel and communications with the government

The House Science, Space, and Technology and the House Oversight and Government Reform committee's chairmen sent Equifax a bipartisan letter on November 20 requesting a slew of additional information by December 6. The letter, signed by Oversight Chairman Trey Gowdy, R-SC., and Ranking Member Elijah Cummings, D-Md., along with Science Chairman Lamar Smith, R-Texas, and Ranking Member Eddie Bernice Johnson, D-Texas, requests specific information regarding Equifax's C-Suite, CIO, CSO and an accounting of how many people were impacted.

The information is needed to give both committee's a better understanding the technical and process failures that led to the data breach earlier this year, the letter states. The breadth and scope of the information required indicates the government is attempting to find out exactly who knew what and when in the period prior to the breach being made public and during Equifax's internal investigation that followed.

The committees are demanding:

  • All organizational charts and documents that will show the names and titles of any and all individuals in an executive leadership role at the company from March 1 through September  30, 2017. (Equifax was first notified by US CERT of the Apache Struts vulnerability that led to the breach.)
  • Documents identifying names, titles and organization home within Equifax on the distribution list for certain email chains, including one with the subject line Cyber Threats and those who received the US CERT and DHS alerts on Apache Struts.
  • The CIO was asked to hand over similar information on executives along with documents to identify anyone who were employed from March 7 to the present date; any communication between the CIO's department and DHS regarding the breach; documents to identify any prior breaches from January 2014 forward.
  • The CSO has to identify similar employees in that department along with any communications between former CSO Susan Mauldin and anyone in relation to Apache Struts 2 made between March 8 and September 30, 2017.
  • The committees also want to know which Equifax employees were part of the incident response team.
  • The representatives also asked for the name and title of the person who contacted the FBI on August 2 and names and titles of all those who interacted with the FBI.
  • The total number of people affected by the breach as of July 31 and then for the weeks of July 31 and August 7, 14 and 28.
  • The name and title of the person who failed to forward the March 9 distribution of the March 8 US CERT Apache Struts 2 alert email to the Online Dispute portal application owner.

Equifax's former CEO and Chairman Richard Smith sat before the House Energy and Commerce Committee Subcommittee on Digital Commerce and Consumer Protection on October 3 and was taken to task for his actions during the period when his company exposed the personal information of 145.5 million people.