A strongly worded letter (PDF) from the Democrats of the House Committee on Energy and Commerce questions Equifax on pretty much every aspect of its disastrous breach, from how such an immense security lapse happened in the first place to the company's apparently non-functional notification site.
"Your company profits from collecting highly sensitive personal information from American consumers — it should take seriously its responsibility to keep data safe and to inform consumers when its protections fail," wrote the 24 Members of Congress in the letter.
Among the many questions asked by the group (paraphrased):
- What exactly was the vulnerability, specifically, and how has it been addressed?
- What security practices, including audits, intrusion monitoring and other controls, are in place?
- Has the company stepped up its security game after other breaches to its networks?
- Why did it take 4 months to detect and a month to announce this breach?
- What's with the executives selling stock just before the announcement?
- Is the forced arbitration practice really not in play?
Equifax is expected to respond by September 22, and a hearing is being planned for later in the month or in October.