WASHINGTON, D.C. – U.S. Sens. Sherrod Brown (D-OH) and Bill Cassidy (R-LA) – leaders of the Senate Subcommittee of Social Security – are demanding answers following reports that the Social Security Administration (SSA) contracted with Equifax for the online portal, known as mySocialSecurity. Equifax’s own system was hacked in July, exposing 143 million Americans to identify theft.

According to public records, SSA contracted with Equifax to develop, maintain and support SSA’s E-Authentication program starting on February 25, 2015. According to a press release sent by Equifax on February 10, 2016, SSA had “completed integration,” with Equifax.

Brown and Cassidy are asking SSA to provide a detailed accounting of all steps the Administration has taken to ensure Americans’ data is secure within five business days, and outline whether additional resources are needed to effectively assess potential compromises to the SSA online system. The Senators are also seeking information as to the nature of Equifax’s work for SSA, including whether the Apache web application, which was implicated in the Equifax breach, has been used at SSA. They also seek an outline of all contingency plans SSA has in place to protect Americans’ data if a breach were to occur. The Senators say SSA should conduct a full investigation into Equifax’s contract to determine whether SSA should take steps to nullify that contract and consider recommending Equifax for debarment from all federal contracts in order to protect Americans’ data and taxpayer dollars.

Given Equifax’s recent security breach, this partnership raises serious questions as to whether the personal data SSA maintains on behalf of all Americans may be at risk of identity theft or other cybersecurity threats. In addition to an immediate threat assessment, we request information regarding the steps you will take to remedy any potential breach of SSA’s online systems and what resources are necessary for SSA to ensure that the data of every single American is safe,” the Senators wrote to SSA Acting Commissioner Nancy Berryhill.

In light of the Equifax breach and ongoing questions about the security of online data, the Senators are also asking SSA to reconsider its Vision 2020 program, which intends to force more Americans to interact with SSA online by downsizing staff and field offices.

Complete text of the Senators’ letter to SSA Acting Commissioner Nancy Berryhill is below. A PDF is available here.

 

Nancy Berryhill

Acting Commissioner

Office of the Commissioner

Social Security Administration

6401 Security Boulevard

Baltimore, Maryland 21235-6401

 

Dear Acting Commissioner Berryhill:

We are writing in regards to the partnership between the Social Security Administration (SSA) and Equifax, reported by various news outlets in recent days. Given Equifax’s recent security breach, this partnership raises serious questions as to whether the personal data SSA maintains on behalf of all Americans may be at risk of identity theft or other cybersecurity threats. In addition to an immediate threat assessment, we request information regarding the steps you will take to remedy any potential breach of SSA’s online systems and what resources are necessary for SSA to ensure that the data of every single American is safe.

According to public records, SSA contracted with Equifax to develop, maintain, and support SSA’s E-Authentication program starting on February 25, 2015. According to a February 10, 2016, Equifax press release, SSA had “completed integration,” with Equifax.

On September 7, 2017, Equifax notified the public and Congress that it had been subject to an enormous security breach that compromised the personal data of 143 million Americans. While investigations are ongoing, it appears that Equifax failed to undertake routine security patches, allowing hackers to gain continuous access to extremely sensitive personal data for weeks.

As a result, nearly half of all Americans are exposed to potential credit and identity fraud due to Equifax’s failure to follow security protocols and its delayed and ineffective response to these breaches. While Equifax claims it has resolved this particular security flaw as of July 29, 2017, it has not explained how its network and information security policies allowed for this lapse in the first place. 

On September 8, 2017, the following statement was posted to SSA.gov, “Although we sometimes use Equifax to help verify your identity when setting up a mySocial Security account, Social Security never shares Social Security numbers with Equifax. For concerns regarding the Equifax data breach, please contact Equifax directly . . .”

We are concerned, however, that the statement, may not comprehensively describe the relationship between Equifax and SSA. Instead, it appears Equifax built, maintained, and supported, SSA platforms. If that is the case, SAA’s users could be vulnerable to the same breach that targeted Equifax, whether or not SSA proactively shared Social Security numbers with the company.

In light of these circumstances, we respectfully ask that you promptly provide us with detailed answers to the questions below.

 

Our questions are as follows:

  1. What assurances can SSA provide that the data SSA maintains on behalf of all Americans is safe following the Equifax breach?
    1. What threat assessments has SSA conducted to determine whether online data of all Americans is at risk due to its partnership with Equifax and what are the results of those assessments?
    2. Please describe all steps being taken and the timeline for those steps, including whether SSA conducted an internal investigation or hired outside consultants to determine potential compromises to the E-Authentication system.
    3. If no such steps have been taken, why not? When does SSA intend to take such steps?
    4. Does SSA have the necessary resources to effectively assess potential compromises to the E-Authentication system? If not, please describe what additional resources are needed.
  2. When did Equifax notify SSA of the breach to its own system? Who in your office was notified and what information was provided to your office?   Did Equifax express any concerns about the security of SSA’s data given this breach?
  3. Has Equifax provided SSA any information about the components used in developing SSA’s E-Authentication? Specifically, was the Apache web application that was breached in the Equifax hack used in the SSA E-Authentication? If so, is it still being used and has it been consistently monitored and patched?
  4. Has SSA quantified how many customers could be potentially compromised if the E-authentication system were to be breached? If not, why no?  If so, what is that number?
  5. Has SSA partnered with Equifax beyond the E-Authentication system? If so, please provide complete details of each project undertaken with Equifax.
  6. Has SSA alerted the Treasury Department, the IRS, and the Office of Management and Budget about this potential breach, and has SSA offered to brief them on potential vulnerabilities, or provide assurances as to how SSA can confirm Americans’ data is safe? Please provide the dates and nature of these communications.
  7. If SSA determines that there are potential threats to all Americans’ personal data, should the online portal be taken offline to protect that data?
  8. If it were determined that taking the portal offline was needed to protect the security of all Americans’ data, how would such a shutdown impact SSA’s customers?
    1. What resources would SSA need to augment staffing and hours in field offices and phone centers to ensure continued quality of customer service?
  9. What contingency plans does SSA have in place to protect Americans if SSA data were breached?
  10. In light of these events – does SSA intend to reevaluate or withdraw the Vision 2020 program, which intends to force more Americans to interact with SSA online by downsizing staff and field offices?
  11. What resources will SSA require to meet any unforeseen needs associated with potential threats to the security of Americans’ online information? Can these needs be met with SSA’s currently anticipated funding levels for Fiscal Year 2018? If not, how soon can SSA present Congress and the White House with a revised appropriation request?

 

Finally, in addition to prompt and thorough responses to the following questions, we ask for your assurance that after a thorough investigation, SSA will take any and all appropriate actions that the fact pattern warrants including taking steps to nullify its contract with Equifax and assess whether a new contractor would be better equipped to address potential vulnerabilities as well as consideration of the merits of a recommendation of debarment of Equifax to the GSA Interagency Suspension & Debarment Committee – preventing the company from soliciting offers for, obtaining additional, and renewing federal contracts. If any of these steps have already been taken, please provide additional details, including the dates of such steps.

Due to the time sensitive nature of these issues we ask that you transmit answers to us no later than five business days following the receipt of this letter. Thank you for prompt attention to this matter.

 

Sincerely,

 

U.S Senator Sherrod Brown (D-OH), Ranking Member of the Senate Subcommittee on Social Security

U.S. Senator Bill Cassidy (R-LA), Chairman of the Senate Subcommittee on Social Security