GAO Reviews Agency Actions in the Wake of Equifax Data Breach

It’s easy to forget that roughly a year ago, Equifax was hacked, which compromised the personal information of roughly 145.5 million individuals. The scope of the breach was concerning for a number of reasons, not the least of which was the fact that Equifax was providing identity verification services for three federal agencies at the time it was attacked.

In a recent report, GAO reviewed how these agencies responded to the attack. While not making any specific recommendations at this time, GAO’s report does highlight the extent to which federal agencies were not fully prepared for cyberattacks on private contractors.

Prior to the Equifax breach, the IRS, the Social Security Administration, and USPS contracted with Equifax to provide identity verification services. These agencies relied on Equifax’s databases to verify the identities of individuals applying for various services. For example, the IRS used Equifax servers to verify identities for tax return purposes.

Following the Equifax cyberattack, agencies took a variety of steps to assess the situation and make proactive changes to their contracts with Equifax. Foremost was notifying impacted individuals. While there was no breach of agency systems in connection with the Equifax attack, there was nevertheless concern that impacted individuals may have had an increased risk for identity theft. Accordingly, one of the first actions taken by the impacted agencies was to notify impacted individuals.

Additionally, the impacted agencies took a number of contractual actions to improve the response in the event of future breaches. For example, the Social Security Administration made modifications to its current contracts with Equifax to “require prompt notification of any future breach[.]” This was a significant concern, as Equifax did not immediately notify agencies following the initial breach. Similarly, the IRS also updated its contracts to require Equifax “notify IRS within one hour after a breach is discovered, rather than within the previous time frame of 24 hours.”

The IRS and USPS also made contract modifications and policy changes to improve cybersecurity provisions. As the GAO explained in its report, the “IRS updated its internal cybersecurity contractor requirements and controls related to incident handling.” Additionally, the USPS “initiated discussions with the National Institute of Standards and Technology to determine risks associated with the knowledge-based verification questions it had been using with Equifax’s identity-proofing service.” The USPS subsequently revised the questions it used for identity verification.

Finally, prior to the breach, Equifax was serving as an incumbent contractor for the IRS providing tax payer identity verification services. These services were subsequently competitively re-procured through Experian. Equifax protested the Experian award before GAO, which caused the IRS to issue a sole-source bridge contract for identity verification services while the protest was pending. This contract extension was issued despite Equifax acknowledging its data breach a few weeks earlier. The IRS, however, subsequently issued a stop work order for the work. After Equifax’s GAO protest was denied, the IRS transitioned the new work to its contract with Experian.

While not making any recommendations, the GAO report did acknowledge a number of potential issues with the response. Among these was the fact each of the affected agencies initiated its own internal investigation “because they said it was unclear whether any single federal agency had responsibility for coordinating government actions in response to a breach of this type in the private sector.” This is a significant issue, particularly given the increasing frequency of cyber-attacks on private companies.

In all, the Equifax breach highlights the difficulties agencies face when private contractors encounter data security issues. As noted by GAO, the impacted agencies did not have a standard set of procedures for addressing large cyberattacks on private contractors. As cyber-security has only become a more pressing issue following the Equifax attack, developing a robust set of procedures for addressing cyber breaches is likely to become increasingly important in federal government contracting.