Skip to main content

Federal investigation into Equifax hack said to wither, even with more data exposed

New reports suggest scope of the Equifax breach was even greater than believed

cfpb investigation equifax hack headquarters
Smith Collection/Gado/Getty Images
Consumer credit reporting agency Equifax stunned the world late last year, admitting to major hacks in the spring and summer of 2017, exposing credit data on millions of consumers across multiple countries including the U.S., U.K., and Canada. Now, Reuters alleges that one major investigation into the hack is spinning its wheels.

Sources say the Consumer Financial Protection Bureau (CFPB), a federal agency that oversees consumer protection in the financial arena, has allowed its investigation to wither. The CFPB, then led by Richard Cordray, began its investigation in September 2017. Cordray resigned in November, however. Mick Mulvaney, appointed as Cordray’s replacement by President Donald Trump, may not be pursuing the investigation with vigor.

Specifically, Mulvaney hasn’t ordered subpoenas or sought testimony from company executives. Sources also claim the CFPB decided not to pursue a plan to test Equifax’s data protection. Finally, the agency is said to be uncooperative with regulators from the Federal Reserve, among others.

This is particularly concerning, given a new report from CNN Money that suggests that the severity of the breach — in terms of data compromised — may be even worse than initially believed. Customer information like tax IDs and driver’s license details may have also been accessed in the hack, as per documents Equifax handed over to the Senate banking Committee. Initially, Equifax noted that some driver’s license numbers were exposed, but new evidence suggests that both license state and issue date may also be at risk.

On Friday, Senator Elizabeth Warren penned a letter to CEO Paulino do Rego Barros Jr. regarding the spotty information Equifax has provided to Congress thus far. “As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?” Warren wrote.

Equifax has responded that the information is not be considered “exhaustive,” but is simply a list of “common personal information” often desired by hackers.

As it stands, The CFPB isn’t the only organization investigating the Equifax hack. The Federal Trade Commission has its own investigation and has issued subpoenas. Every state attorney has its own open investigation, and hundreds of class-action lawsuits have been filed.

Even so, a pullback in the CFPB investigation would be significant. Its stated purpose most directly intersects with Equifax’s services, and the agency is known to slap credit agencies with significant fines. It levied $17.6 million in fines against TransUnion and Equifax in January 2017 over deceptive pricing of credit reports. While the FTC has also hit companies with major fines, it doesn’t have an extensive history of pursuing credit agencies for fines of that magnitude.

That could change. A bill called the Data Breach Prevention and Compensation Act was introduced in January, and part of it would grant the FTC more oversight over credit agencies. It’s estimated that the bill, if made law, would let the FTC hit Equifax with a $1.5 billion fine. Congress has yet to vote on the bill.

The CFPB hasn’t commented on the story by Reuters. Transunion, however, told Reuters in a statement that, “We believe that it is clear that the CFPB was not given legal authority to supervise any financial institutions with respect to cybersecurity.” Equifax also has not provided a statement on the matter.

This development is just the latest twist in the saga of the Equifax and, if correct, suggests the federal government’s response will be meager, even with the additional evidence of compromised data. Still, as noted, there are hundreds of lawsuits pending, from states and class-action suits. It will no doubt be years before the legal fallout settles.

Update: The Equifax breach may have exposed even more information than initially believed. 

Editors' Recommendations

Matthew S. Smith
Matthew S. Smith is the former Lead Editor, Reviews at Digital Trends. He previously guided the Products Team, which dives…
Experts found a record number of zero-day hacks in 2021
A digital depiction of a laptop being hacked by a hacker.

Google has published the 2021 review of Project Zero, revealing a record amount of zero-days exploits (labeled as “one of the most advanced attack methods”) exhibited by some of the world’s largest technology companies.

Project Zero is an initiative started by Google in 2014 aimed at detailing security defects known as zero-day exploits. These vulnerabilities are dangerous as they essentially remain undetected unless a mitigation system has been implemented, thus leaving systems, databases, and the like completely exposed to hackers.

Read more
T-Mobile confirms hack, investigates whether customer data was stolen
A T-Mobile store.

T-Mobile has confirmed that its computer systems were accessed without permission and says it's now conducting an investigation to determine the full extent of the hack.

The announcement follows claims on Sunday, August 15, that a hacker was in possession of data belonging to 100 million T-Mobile customers and was trying to sell it via an underground forum.

Read more
T-Mobile investigating claims of massive hack involving customer data
T-Mobile storefront with corporate signage.

T-Mobile says it’s investigating claims of a major data breach that may affect as many as 100 million of its customers.

A message spotted on an underground forum on Sunday, August 15, came from someone claiming to be in possession of personal data belonging to 100 million people. The message made no mention of T-Mobile, but when the poster was contacted by news site Motherboard, it became apparent that the mobile company's customers were at the center of the alleged hack. The figure of 100 million would be remarkable as it's almost equal to T-Mobile's entire customer base.

Read more